« VPN Virtual Tunnel Interfaces | Main | Mmmmm...SNMP and Netflow Goodness. »
September 24, 2006
PIX Authentication Using Local User Database (and Kiwi CatTools)
So here's the scenario I ran into...I just set up a new client for managed network services (where my company (AdTEC Networks) is doing the management). This client happened to have some fairly technical people on staff who wanted privileged mode access to the PIX firewall. No problemo...that is, until I received phone calls with people screaming, "THE NETWORK IS DOWN!!!"
There I am, feeling a cold drip of sweat trickling down the side of my face, scrolling through a running config on a PIX firewall. Aha! Who put that command there?!?! After removing the 'mystery' NAT statement, the network magically works again...now who's to blame...
Of course, all my customer's network admins deny any responsibility, and since there's only a single username / password combination on the PIX (and enable password), there was no way of telling who was responsible. It's time for deeper authentication on the PIX firewall.
Three commands to make this happen:
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Then create your user accounts using this syntax:
username user1 password TUgFoweE932kS0z encrypted privilege 15
username user2 password TUgFoweE932kS0z encrypted privilege 15
...and so on
Here's the powerful result: The users now log in using their own username (i.e. user1 and user2 in this case) rather than the generic "pix" and their own password. The ultra-cool thing (in my opinion) is that second command "aaa authentication enable console LOCAL" - it synchronizes the enable password with the user account, so the admin can use the same password for the SSH/Telnet session as they do to access enable mode. Sweet!
Last, but not least, pick up a copy of Kiwi CatTools. This AWESOME (and cheap - free for 5 devices) utility does configuration change management. Now, if the configuration changes, I get an email showing me what changed and who made the changes. Niiice.
Posted by JC at September 24, 2006 5:30 PM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/105
Comments
cool
one thing i wanna ask though, In your opinion kiwi tools are better for config management or Cisco Works regardless of the cost?
Posted by: Sikandar at December 6, 2006 2:24 PM
If you can afford it, CiscoWorks is definitely better...I'm just cheap :).
Posted by: JC at December 6, 2006 3:03 PM
Question: What is the maximum numbers of users can be created using LOCAL DATABASE on the PIX/ASA?
Posted by: rcuares at November 4, 2007 4:18 PM
How would I connect 2 pc with switch and router to be able to ping each other without connecting them through the same switch?
Posted by: Dayne at December 8, 2007 2:23 PM