The PIX Administering Category
Perhaps one of the best advantageous categories accessible in the Arrangement Properties tab is
the PIX Administering category. From this category, you can administrate the subcategories
listed in Table 9.2.
Table 9.2 PIX Administering Subcategories
Pix Administering Function
Subcategory
Device Configure the PIX hostname and area name.
Password Configure accredit and Telnet passwords.
Authentication/ Configure LOCAL, TACACS+, or RADIUS authentication/
Authorization allotment for PDM, serial, Telnet, and SSH connections.
Specific allotment levels can additionally be
administered from this screen.
User Accounts Administrate bounded user accounts and ascertain advantage levels.
PDM/HTTPS Specify hosts and networks accustomed to admission the fire
wall via PDM.
Telnet Specify hosts and networks accustomed to admission the firewall
via Telnet.
www.syngress.com
Figure 9.23 The DHCP Server Advanced Window
Continued
482 Affiliate 9 • PIX Accessory Manager
Pix Administering Function
Subcategory
Secure Shell Specify hosts and networks accustomed to admission the firewall
via SSH.
SNMP Configure SNMP variables such as association strings and
trap destinations.
ICMP Configure ICMP permissions to the firewall interfaces.
TFTP Server Specify TFTP services.
Clock Configure time variables such as time area and calendar
date.
NTP Configure arrangement time agreement servers for automated
time synchronization.
Click anniversary subcategory to appearance the accompanying agreement screen.The Device
screen is identical to that apparent in the Startup Wizard window. Refer to the
“Startup Wizard” area for added advice about alteration the hostname
and area name for the PIX device.
To change authoritative affidavit variables on the PIX firewall, click
the Countersign subcategory in the PIX Administering category, as apparent in
Figure 9.24.
www.syngress.com
Table 9.2 Continued
Figure 9.24 PIX Administration: The Countersign Screen
PIX Accessory Manager • Affiliate 9 483
To change passwords, blazon the absolute Accredit or Telnet countersign in the Old
Password field.Type a new countersign in the New Countersign and Confirm
New Countersign fields. Bang Apply to PIX.A chat box appears confirming
the new password.To displace the Accredit or Telnet countersign to the aboriginal configuration,
click Reset.
You can ascendancy actual diminutive affidavit and allotment attributes via
the Authentication/Authorization PIX Administering subcategory screen.This
screen is apparent in Figure 9.25.
Access to the PIX firewall, whether via PDM, consecutive (console), SSH, or Telnet,
can be controlled via LOCAL,TACACS+, or RADIUS server groups.You can also
configure affidavit for advantaged modes from this screen.AAA server groups
are bent application the AAA class from the Arrangement Properties window. (AAA
is discussed after in this chapter.) If no AAA casework are accessible on your network,
you can use LOCAL affidavit and configure user accounts on the PIX firewall.
User annual aliment is discussed after in this section.
www.syngress.com
Figure 9.25 PIX Administration: The Authentication/Authorization Screen
484 Affiliate 9 • PIX Accessory Manager
Use the analysis boxes and pull-down airheaded to adapt affidavit and authorization
attributes. From PDM, you can additionally ascendancy user admission to administrative
commands.This PDM affection enables broadcast administering and allows users
to admission PDM application read-only or monitor-only permissions.To accredit this
feature, bang the Accredit Allotment analysis box.When you aboriginal enable
authorization, PDM prompts you to configure predefined annual privileges.
A window appears, as apparent in Figure 9.26.
This bureaucracy awning creates three predefined allotment levels, which are
detailed in Table 9.3.
Table 9.3 Predefined Allotment Levels
Predefined CLI Akin Description
Authorization
Admin 15 Admission to CLI functionality.
Read-only 5 Read-only admission to all CLI functionality.
Monitor-only 3 Admission to ecology functionality only.
www.syngress.com
Figure 9.26 The Predefined User Annual Privileges Bureaucracy Window
PIX Accessory Manager • Affiliate 9 485
Click Yes to actualize these predefined allotment levels or No to specify
your own levels.To specify your own diminutive command admission attributes,
click the Advanced button.The Command Account window appears, as apparent in
Figure 9.27.
From this window, you can specify the advantage akin for anniversary PIX firewall
command.To change a advantage level, highlight a CLI command and bang Edit.
From the popup window, baddest the advantage akin from the Advantage Level
drop-down list.When finished, bang Apply to Pix and acknowledgment to the System
Properties tab.
After allegorical affidavit mechanisms and allotment levels, you can
add authoritative user accounts from the User Accounts category, as apparent in
Figure 9.28.
From this screen, you can add, modify, or annul user accounts.To add a new
user, bang the Add button. From the popup window, configure user attributes by
completing the User Name and Countersign fields and selecting an appropriate
www.syngress.com
Figure 9.27 The Authentication/Authorization Command Account Window
486 Affiliate 9 • PIX Accessory Manager
privilege akin from the Advantage Akin pull-down list. If you configured
specific advantage levels as ahead discussed, these levels will arise in the
Privilege Akin pull-down list.
The abutting three PIX Administering subcategories are agnate in nature.These
subcategories, PDM/HTTPS,Telnet, and Secure Shell, all ascendancy antecedent IP
address admission to anniversary of these administering methods. For brevity, we only
discuss the PDM/HTTPS subcategory here.
To add, delete, or adapt the antecedent IP addresses acceptable to admission PDM,
click the PDM/HTTPS subcategory.The PDM/HTTPS awning appears, as
shown in Figure 9.29.
Use the Add, Edit, and Annul buttons from this awning to ascendancy the IP
address(s) accustomed to admission PDM from specific interfaces.This awning is identical
for Telnet and Secure Shell admission control.
From the PIX Administering category, you can additionally configure SNMP.To
modify SNMP variables, bang the SNMP subcategory.The SNMP screen
appears, as apparent in Figure 9.30.
www.syngress.com
Figure 9.28 PIX Administration: The User Accounts Screen
PIX Accessory Manager • Affiliate 9 487
www.syngress.com
Figure 9.29 PIX Administration: PDM/HTTPS
Figure 9.30 PIX Administration: SNMP
488 Affiliate 9 • PIX Accessory Manager
As you can see, from the SNMP awning you can configure variables such as
the association string, contact, and area information.You can additionally specify
SNMP administration stations by beat the Add button beside the SNMP
management base field.When you add a administration station, you can configure
the PIX to acquiesce polling from the server and to accelerate accessories to the server.To
configure the firewall to accelerate syslog-based accessories to the server, bang the analysis box
beside the Accelerate syslog letters as SNMP accessories and baddest the severity level
from the Akin pull-down list.
ICMP is a advantageous testing and debugging apparatus in any environment.The ICMP
subcategory is acclimated to admittance or abjure ICMP to the PIX interfaces.This should
not be abashed with ACLs activated to the PIX interfaces to admittance or deny
ICMP through the firewall.To attenuate ICMP or admittance alone specific types of
ICMP to the PIX interfaces, bang the Add button from the ICMP screen.The
Add ICMP Rule window appears, as apparent in Figure 9.31.
From this window, baddest the ICMP blazon such as answer or echo-reply from
the ICMP Blazon pull-down menu, accept the interface from the Interface pulldown
menu, and actuate the antecedent abode advice by accounting in the IP
Address and Mask fields. Finally, actuate the PIX activity by selecting either
permit or abjure from the Activity pull-down list.
NOTE
By default, the PIX firewall permits ICMP to all its interfaces.
www.syngress.com
Figure 9.31 The Add ICMP Rule Window
PIX Accessory Manager • Affiliate 9 489
The TFTP Server subcategory permits the agreement of TFTP variables
such as the IP abode of the TFTP server and the specific server book arrangement path
to be acclimated for TFTP transfers.
The aftermost two subcategories beneath PIX Administering ascendancy the date and
time on the PIX firewall.The Alarm subcategory facilitates the agreement of
the time zone, day, month, year, and exact time on the PIX firewall.The NTP
subcategory permits the agreement of Arrangement Time Agreement (NTP)
attributes. Bang the NTP subcategory to see the NTP screen, as apparent in
Figure 9.32.
From this screen, you can add NTP alarm sources to advance authentic time.
Use the Add, Edit, and Annul buttons to configure NTP server IP addresses and
the interface over which NTP should run. Baddest the Accredit NTP
Authentication analysis box to accredit NTP.