InfoSecter Support Notes for PIX, ASA, and FWSM

Supported versions

• PIX version 6.0 through 8.0.
• ASA version 7.0 through 8.2.
• FWSM versions through 3.2.

The analysis support concentrates on firewall and VPN features. In particular InfoSecter reports may include the following classes of actions.

• permit or deny, basic firewall filtering.
• translate, address translation.
• inspect protocol, activation of more detailed protocol processing enabled by the fixup or inspect commands.
• crypto-map map name, direct traffic into the specified crypto map for IPSec tunneling.
• filter, URL filtering.
• aaa, authentication, authorization, or accounting configuration.

The tool will parse most of the the commands in the supported versions with the following exceptions.

• WebVPN
• Failover commands

Gather device configurations

InfoSecter operates on configuration files. There are several means to export a configuration from a PIX or ASA device. One uses the ASDM https interface to pull a config from a PIX/ASA to a client machine. Another technique pushes a config from a PIX/ASA to a client machine.

Pulling a configuration

From a client machine, use https to pull the running config or the start up config from the ASA/PIX. To enable this, the device must be configured to allow ASDM access as described in the Cisco Documentation (short of installing the ASDM image). The device must have a certificate installed using the crypto key generate rsa command. The embedded web server must be enabled on the device using the http enable command, and the http command must be used to give access to the requesting client.

Once the device is configured to allow https access, you can use a browser on the client machine to fetch the URL. Say the PIX/ASA device is at address 192.168.1.1, the URL would be

    https://192.168.1.1/exec/show run

You will be prompted for a user name and password. If you have AAA authentication enabled or local users defined, use one of the defined user names and passwords. Otherwise, use "pix" for the username and your enable password for the password.

Pushing a configuration

From the ASA/PIX device you can use the copy command to copy the start up or running config to an accessible machine via a variety of protocols (including tftp, ftp, scp, rcp, http, and https). The Cisco Documentation describes this technique for backing up configurations in greater detail.

For example, if there is a machine with the address 192.168.200.2 running a FTP server with an account for user, you can issue the following command to copy the running config to the ftp server.

    copy running-config ftp://user:password@192.168.200.2/run.cfg