Table 11-8 rip Command Parameters

Table 11-8 rip Command Parameters
Parameter Description
if-name The name of the interface to which the RIP configuration will apply (the name
assigned in the nameif command).
default Keyword indicating that you want to broadcast the address of the specified
interface as a default route.
passive Enables passive RIP on the interface. The Security Appliance listens for RIP
routing updates and uses the information received to populate its routing table.
version Keyword used to specify the version of RIP to use. This keyword must be
followed by either 1 or 2 to indicate the RIP version to use.
authentication Keyword to enable RIP version 2 authentication.
text Keyword indicating that RIP updates should be sent in the clear.
md5 Keyword indicating that RIP updates should use MD5 authentication.
key The key to encrypt routing updates. This key is a text string of up to 16
characters.
key_id The key identification value in the range between 1 and 255. The same key ID
must be used on all of your RIP-enabled devices that communicate with one
another.

Configuring RIP

Configuring RIP
To enable the Security Appliance to learn new routes based on RIP routing updates, you use
the rip command. The syntax for the rip command is as follows:
rip if-name default | passive [version {1 | 2}] [authentication {text | md5} key key_id]
Table 11-8 describes the various parameters for the rip command.

Dynamic Routes

Dynamic Routes
Besides creating static routes manually, the Cisco Security Appliance also supports some
dynamic routing functionality. Dynamic routes are created based on routing protocols that
automatically add entries into the Security Appliance’s routing table. The Security Appliance
supports the following two different routing protocols, but only one can be active on a single
Security Appliance:
■ RIP
■ OSPF
NOTE Although you can configure the Security Appliance to generate an ARP request to
determine the destination address to which to send traffic, this configuration is not
recommended. ARP is an unauthenticated protocol and this configuration can pose a
security risk.
Example 11-1 Output of the show route Command
pix515a# show route
intf5 0.0.0.0 0.0.0.0 10.89.141.1 1 OTHER static
inside 10.10.10.0 255.255.255.0 10.10.10.1 1 CONNECT static
inside 10.10.20.0 255.255.255.0 10.10.10.2 2 OTHER static
intf5 10.89.141.0 255.255.255.0 10.89.141.80 1 CONNECT static
intf4 172.16.1.0 255.255.255.0 172.16.1.1 1 CONNECT static
outside 192.168.10.0 255.255.255.0 192.168.10.80 1 CONNECT static
pix515a#
NOTE You can also remove individual routes by placing the no keyword in front of the
original command used to create the static route.
IP Routing 281
The Security Appliance can learn new routes based on the RIP routing broadcasts, but the
Security Appliance does not have the functionality to propagate these learned routes to other
devices. With OSPF, the Security Appliance learns new routes, and it can also propagate that
information to other devices.

Default Route

Default Route
Configuring multiple routes can be a time-consuming task, especially for the traffic bound
for the Internet. Therefore, you can create a special route known as a default route. This
route is automatically used for any traffic that does not match any other routes on the system.
When configuring the default route, you use a destination IP address of 0.0.0.0 and a
netmask of 0.0.0.0.
Instead of using the address of a gateway router when you are configuring a static route, you
can specify the IP address of one of the Security Appliance’s own interfaces. When you create
a route in this manner, the Security Appliance does not have a destination IP address to which
to send the traffic. Therefore, the Security Appliance broadcasts an ARP request on the
specified interface to determine the address to which to send the traffic. Any router that has
a route to the destination address can generate a proxy ARP (using its own interface’s
Ethernet address), enabling the Security Appliance to update its ARP cache with an entry for
the IP address of the traffic. The Security Appliance uses this proxy ARP to then send the
traffic to the router that has a route to the destination IP address.
gateway The IP address of the gateway to which the routed traffic will be
sent.
metric The administrative distance of the route. Normally, this indicates
the number of hops to the destination network. When routing,
this value is used to choose the best route when multiple routes
exist.
Table 11-7 route Command Parameters (Continued)
Parameter Description
280 Chapter 11: Routing and the Cisco Security Appliance
Static routes are stored in your Security Appliance configuration and restored when your
Security Appliance is reloaded. To view the routes on your Security Appliance, you use the
show route command. This command displays all the routes in the Security Appliance’s
routing table, such as shown in Example 11-1.
The static routes with the keyword CONNECT indicate routes that are automatically
created when you define the IP address for an interface. The routes with the OTHER
keyword indicate static routes that have been manually entered.
Sometimes, you may want to remove the static routes that you have already configured. You
can do this using the clear route command.
Dynamic Routes
Besides creating static routes manually, the Cisco Security Appliance also supports some
dynamic routing functionality. Dynamic routes are created based on routing protocols that
automatically add entries into the Security Appliance’s routing table. The Security Appliance
supports the following two different routing protocols, but only one can be active on a single
Security Appliance:
■ RIP
■ OSPF
NOTE Although you can configure the Security Appliance to generate an ARP request to
determine the destination address to which to send traffic, this configuration is not
recommended. ARP is an unauthenticated protocol and this configuration can pose a
security risk.
Example 11-1 Output of the show route Command
pix515a# show route
intf5 0.0.0.0 0.0.0.0 10.89.141.1 1 OTHER static

Static Routes

Static Routes
Static routes are manually configured routes that do not frequently change. They essentially
direct your Security Appliance to send traffic destined for a specific network to a specific
router that has connectivity to the destination network. Static routes are perhaps best
explained by using a network example. Figure 11-1 illustrates a simple network
configuration with hosts on both the 10.10.10.0 and 10.10.20.0 networks.
278 Chapter 11: Routing and the Cisco Security Appliance
Figure 11-1 Static Routes
When you configure the inside interface on the Security Appliance with a Class C address of
10.10.10.1, the Security Appliance automatically creates a route that enables it to send traffic
for the 10.10.10.0 network to the inside interface (identified by the keyword CONNECT
when viewing the routes). The Security Appliance may also receive traffic for the host whose
IP address is 10.10.20.10. By default, if the Security Appliance receives traffic for
10.10.20.10, it will not know where to send it. To enable the Security Appliance to know
where to send traffic for 10.10.20.10, you can configure a static route using the route
command. The syntax for the route command is as follows:
route interface-name ip-netmask gateway [metric]
The parameters for the route command are explained in Table 11-7. Using the network in
Figure 11-1, you can define a static route for the 10.10.20.0 network using the following
command:
pix515a(config)# route inside 10.10.20.0 255.255.255.0 10.10.10.2 1
Table 11-7 route Command Parameters
Parameter Description
interface-name The name of the interface on the Security Appliance through
which the traffic will travel to reach the destination network
(the name assigned in the nameif command).
ip-address The IP address(es) of the traffic to which the route pertains.
netmask The network mask of the route, which indicates the number of
addresses covered by the route. (For example, a Class C
network pertains to 256 different addresses and is specified as
255.255.255.0.)

IP Routing

IP Routing
At the IP layer, your Cisco Security Appliance routes traffic based on the IP addresses in the
network traffic. It does not provide all the functionality of a router, but it does enable you to
define the following two types of routes:
■ Static routes
■ Dynamic routes

Managing VLANs

Managing VLANs
After you create your logical interfaces, you also need to assign the following parameters to
each logical interface:
■ Interface name
■ Security level
■ IP address
Table 11-6 interface Command Parameters
Parameter Description
hardware-id Specifies the network interface on which the command will be applied (such
as Ethernet0).
subinterface-num The subinterface identifier that will be assigned for this logical interface,
which can be between 1 and 4,294,967,293.
mapped-name In multiple-context mode, enter the mapped name if it was assigned using the
allocate-interface command.
shutdown Keyword indicating that the interface should be administratively shut down.
NOTE You do not need to assign a VLAN to the physical interface to assign logical
interfaces to an interface.
IP Routing 277
Using the nameif interface command, you can assign an interface name to a logical interface.
The syntax for the nameif command is as follows:
nameif interface-name
The interface-name parameter for the nameif command is the name to be assigned to the
specified interface.
Using the security-level interface command, you can assign a security level to a logical
interface. The syntax for the security-level command is as follows:
security-level security-level
The security-level parameter is the security level for the specified interface in the range from
0 to 100, with 0 being the least trusted interface and 100 being the most trusted interface.
Finally, you need to complete your logical interface configuration by assigning an IP address
to the logical interface. To assign an IP address to an interface, you use the ip address
command. The syntax for this command is as follows:
ip address ip-address

interface Command Parameters

interface Command Parameters
Parameter Description
hardware-id Specifies the network interface on which the command will be applied (such
as Ethernet0).
subinterface-num The subinterface identifier that will be assigned for this logical interface,
which can be between 1 and 4,294,967,293.
mapped-name In multiple-context mode, enter the mapped name if it was assigned using the
allocate-interface command.
shutdown Keyword indicating that the interface should be administratively shut down.

After you have created a subinterface on the physical interface, the subinterface must be
assigned to a VLAN. Use the VLAN command while in the subinterface to assign that
subinterface to a specific VLAN, the syntax for which is as follows:
vlan [vlan-id]
The vlan-id parameter for the vlan command specifies the VLAN identifier to be associated
with either the network or the logical interface.
Suppose that interface Ethernet0 on your Security Appliance, such as an ASA 5520, is
connected to an enterprise LAN and that you want to configure three logical interfaces on
that same physical interface for VLAN 40 through VLAN 42. The commands to accomplish
this are as follow:
pix515a(config)# interface Ethernet0.1
pix515a(config-subif)# vlan 40
pix515a(config)# interface Ethernet0.2
pix515a(config-subif)# vlan 41
pix515a(config)# interface Ethernet0.3
pix515a(config-subif)# vlan 42
Managing VLANs
After you create your logical interfaces, you also need to assign the following parameters to
each logical interface:
■ Interface name
■ Security level
■ IP address
Table 11-6 interface Command Parameters
Parameter Description
hardware-id Specifies the network interface on which the command will be applied (such
as Ethernet0).
subinterface-num The subinterface identifier that will be assigned for this logical interface,
which can be between 1 and 4,294,967,293.
mapped-name In multiple-context mode, enter the mapped name if it was assigned using the
allocate-interface command.
shutdown Keyword indicating that the interface should be administratively shut down.
NOTE You do not need to assign a VLAN to the physical interface to assign logical
interfaces to an interface.

Maximum Interfaces for Restricted License

Maximum Interfaces for Restricted License
Cisco Secure PIX Model Total Interfaces Physical Interfaces Logical Interfaces
515E 5 3 10
525 8 6 25
535 10 8 50
NOTE VLANs are not supported on the PIX 501. The PIX 506/506E support 802.1q
trunking with the introduction of PIX OS 6.3.4.

Understanding Logical Interfaces

Understanding Logical Interfaces
Your Security Appliance has a limited number of physical interfaces. This limits the number
of Layer 3 networks to which the Security Appliance can be directly connected. If you use
VLANs to segment your network into smaller broadcast domains, each of these VLANs
represents a different Layer 3 network. By using logical interfaces, you can accommodate
multiple VLANs by using trunk lines on your switch ports and configuring multiple logical
interfaces on a single physical interface on your Security Appliance. Logical interfaces
overcome the physical interface limitation by enabling a single physical interface to handle
multiple logical interfaces.
Table 11-2 shows the maximum number of interfaces allowed using a PIX Firewall restricted
license, while Table 11-3 shows the maximum number of interfaces allowed for a PIX
Firewall unrestricted license.
Table 11-4 shows the maximum number of interfaces allowed using an ASA Security
Appliance base license, while Table 11-5 shows the maximum number of interfaces allowed
for an ASA Security Appliance Security Plus license.

Understanding Trunk Ports

Understanding Trunk Ports
Usually, you configure a switch as a member of a specific VLAN. This automatically
associates all of the regular Ethernet traffic received on that port with that VLAN.
Sometimes, however, you may want a single port to receive traffic from multiple VLANs.
A switch port that accepts traffic from multiple VLANs is known as a trunk port.
To differentiate between the different VLANs, each packet is tagged with a specific VLAN
identifier. This identifier informs the switch to which VLAN the traffic needs to be forwarded.
By using trunk lines on your switch, your Security Appliance can send and receive traffic
from multiple VLANs using only a single physical interface.

Understanding VLANs

Understanding VLANs
At the Ethernet layer, you can partition your network using VLANs. These VLANs limit the
scope of broadcast traffic on your network because each VLAN represents an individual
broadcast domain. By dividing your switched network using VLANs, you improve the
security of your network by limiting the scope of broadcast traffic that is vital for the
operation of your network, such as Address Resolution Protocol (ARP) traffic and Dynamic
Host Configuration Protocol (DHCP) traffic.

General Routing Principles

General Routing Principles
Although your Cisco Security Appliance is not a router, it does need to provide certain
routing and switching functionality. Whenever your Security Appliance processes valid
traffic, it must determine which interface provides the correct path for the destination
network. It may also have to tag the traffic for the appropriate Virtual LAN (VLAN). Not
only can your Security Appliance route valid traffic, you can also configure it to forward
multicast traffic. Sending multicast traffic to a multicast broadcast address enables multiple
systems to receive a data stream that otherwise would have to be sent to each individual
system.
This chapter focuses on the following three features that enable your Cisco Security
Appliance to effectively route and switch traffic:
■ Ethernet VLAN tagging
■ IP routing
■ Multicast routing

Logging Severity Levels

Logging Severity Levels
Level Numeric Code System Condition
Emergency 0 System unusable message
Alert 1 Take immediate action
Critical 2 Critical condition
Error 3 Error message
Warning 4 Warning message
Notification 5 Normal but significant condition
Informational 6 Information message
Debug 7 Debug message, log FTP commands, and WWW URLs
Foundation Summary 265
System log messages received at a syslog server begin with a percent sign (%) and are
structured as follows:
%PIX-level-message_number: message_text
You can set the level with the logging command so that you can view syslog messages on the
Security Appliance console, from a syslog server, or with SNMP.

PIX Firewall Syslog Server

PIX Firewall Syslog Server
PIX Firewall Syslog Server (PFSS) lets you view PIX Firewall event information from a
Windows NT system. It includes special features not found on other syslog servers:
■ The ability to receive syslog messages by TCP or UDP
■ Full reliability, because messages can be sent using TCP
PFSS can receive syslog messages from up to ten PIX units. You can install this product for
use with any model of Cisco PIX Firewall. If you have specified that the PIX send syslog
messages using TCP, the Windows NT disk might become full and the PIX unit stops its
traffic. If the Windows NT file system is full, the Windows system beeps, and the PFSS
disables all TCP connections from the PIX unit(s) by closing its TCP listen socket. The PIX
tries to reconnect to the PFSS five times, and during the retry it stops all new connections
through the PIX.
NOTE PFSS does not support the ASA Security Appliance.

Configuring a Syslogd Server

Configuring a Syslogd Server
Because syslogd was originally a UNIX concept, the features available in the syslogd
products on non-UNIX systems depend on the vendor implementation. Features might
include dividing incoming messages by facility or debug level or both, resolving the names of
the sending devices, and reporting facilities. For information on configuring the non-UNIX
syslog server, refer to the vendor’s documentation.
To configure syslog on UNIX, follow these steps:
Step 1 On SunOS, AIX, HPUX, or Solaris, as root, make a backup of the /etc/
syslog.conf file before modifying it.
Step 2 Modify /etc/syslog.conf to tell the UNIX system how to sort out the
syslog messages coming in from the sending devices—that is, which
logging-facility.level goes in which file. Make sure there is a tab between
the logging-facility.level and file-name.
Step 3 Make sure the destination file exists and is writable.
Step 4 The #Comment section at the beginning of syslog.conf usually explains
the syntax for the UNIX system.
Step 5 Do not put file information in the ifdef section.
Step 6 As root, restart syslogd to pick up changes.
For example, if /etc/syslog.conf is set for
local7.warn /var/log/local7.warn
warning, error, critical, alert, and emergency messages coming in on the local7 logging
facility are logged in the local7.warn file. Notification, informational, and debug messages
coming in on the local7 facility are not logged anywhere.
NOTE Configuring the syslog server is not covered on the PIX CSPFA 642-522 exam.
Configuring a Syslogd Server 263
If /etc/syslog.conf is set for
*.debug /var/log/all.debug
all message levels from all logging facilities go to this file.

Configuring SNMP Traps and SNMP Requests

Configuring SNMP Traps and SNMP Requests
SNMP requests can be used to query the Security Appliance on its system status information.
If you want to send only the cold start, link up, and link down generic traps, no further
configuration is required. SNMP traps send information about a particular event only when
the configured threshold is reached.
To configure a Security Appliance to receive SNMP requests from a management station, you
must do the following:
■ Configure the IP address of the SNMP management station with the snmp-server host
command.
■ Set the snmp-server options for location, contact, and the community password as
required.
To configure SNMP traps on the PIX, you must do the following:
■ Configure the IP address of the SNMP management station with the snmp-server host
command.
■ Set the snmp-server options for location, contact, and the community password as
required.
■ Set the trap with the snmp-server enable traps command.
■ Set the logging level with the logging history command.