Easy Questions for Most Cisco Users

[bond00]

I'm very new to Cisco, but I really need a few basic questions answered. My situation is that I'm "auditing" a companies routers and firewalls so I have the config files, but that's about it. Below are the questions.

1. How can I tell from the config files whether they are using telnet or ssh to log into the router/firewall?

2. I noticed from the fireall confight that the VPN setup is:

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

I think I understand it for the most part, but my questions is with the "policy #". If the firewall at the other end of the connection has policy 1 in the config, then does that mean it uses the DES encryption instead of 3DES? There are a couple of firewalls with the "policy 1" but also have a "policy 10", but this main config doesn't have "policy 10". Basically, do the policy have to match?

3. Some passwords are stored with the weak cisco 7 hash, but also have a md5 hash in the config as well. Are routers/firewalls like *nix where a basic user can login (cisco 7 hash), but in order make changes a superuser has to login (md5)?

4. Can those password be stored as an md5 for better security or do they have to be in the cisco 7 hash?

Thanks so much for the help. I would REALLY appreciate any answers!

 

[speedingwolf]

Hi Bond,

let me give a shot here. Look in the PIX config if it has something like:

Allowing telnet from internal net inside to the pix. No restriction.

telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 30

Allowing ssh from outside public IP address

ssh 24.130.x.x 255.255.255.255 outside
ssh 63.x.x.105 255.255.255.255 outside
ssh 63.x.x.126 255.255.255.255 outside

Alloing ssh from inside to the interside interface of the pix

ssh 192.168.101.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside


1. If the firewall at the other end of the connection has policy 1 in the config, then does that mean it uses the DES encryption instead of 3DES?

Yes. it uses DES.

2. There are a couple of firewalls with the "policy 1" but also have a "policy 10", but this main config doesn't have "policy 10".

Here is explanation of policy:

The PIX can have many IKE policies (also known as ISAKMP protection suites), which are distinguished by their priority (an integer from 1 to 65,534). The smaller this number, the higher the policy’s priority. The IKE policy between peers must match. A policy with the highest priority is attempted first, and if not accepted by the remote peer, the next highest priority is attempted. This continues until a policy is accepted by the other peer or the list is exhausted. No match means that IKE establishment fails.

So, it means that PIX has or had previous tunnel to some other PIX and not to the PIX that does not have policy 10.

Yes. policy needs to match.

I'm not sure about the password part. You might want to google it.

 

[bond00]

Thanks so much! That helps a ton.