Version Information
Record of Changes
Issue Date Detail of changes
th
1.0 6 July 2009 Initial version
Contents
Version Information i
Contents ii
1 Introduction 1
2 Getting The Configuration 2
2.1 Using ASDM And PDM 2
2.2 Using TFTP 3
2.3 Using SSH, Telnet Or The Console 4
3 Using Nipper 5
3.1 Nipper One 5
3.2 Nipper Command Line Tool 5
4 Support 6
4.1 On-Line 6
1 Introduction
This guide is intended to be a device specific supplement to the “Getting Started With Nipper
1.0” user guide. This document specifically focuses on Cisco Security Appliances such as
ASA, FWSM and PIX devices. The guide highlights different methods you can employ in order
to extract the configuration from your Cisco device and then how to use that configuration file
with Nipper to generate a security audit of your device.
Cisco provide a range of detailed technical documents for their devices which can be
downloaded from the Cisco web site at: http://www.cisco.com.
The ASDM and PDM interfaces can be accessed using a web browser with Java capabilities.
Whether you have access to ASDM or PDM will depend on your security appliance (and its
age), but the procedure is the same for both. The procedure for getting the configuration from
the your device is as follows:
1. Using your favorite web browser, connect to the HTTPS service provided by your Cisco
device for remote management. You can do this by entering https:// followed by
your devices IP address.
2. On ADSM-capable devices, click on the “Run ADSM as a Java Applet” button.
3. Logon using your administration username and password.
4. You should now see the ADSM or PDM application, both of which are shown in the
screens below.
5. You can show the “running-config” using the option on the File menu.
6. Copy and paste the configuration into a file to use with Nipper.
Cisco ASDM:
Cisco PDM:
We don’t recommend using TFTP to transfer your configuration due to weaknesses in the
protocol, the other methods described in this section are more secure. However, here is the
procedure for using TFTP:
1. Connect to the Cisco device using SSH, Telnet, ASDM, PDM or through a Console
connection.
2. Login to your Cisco PIX device.
3. Transfer the configuration using the TFTP command write net
<ip-address>:<filename>
For this procedure you will be using the Command Line Interface (CLI) of your Cisco device
using an SSH client (such as OpenSSH or Putty), Telnet or through the console port. We
would recommend using either SSH (for remote connections) or using a direct connection to
the console port. Telnet provides no encryption of the communications and therefore your
authentication credentials and configuration would be vulnerable if a malicious user were to
monitor your connection.
Use the following procedure to obtain a copy of the configuration file:
1. Connect to the Cisco using your favorite SSH client, Telnet or a direct console
connection.
2. Logon using your administration authentication credentials.
3. Enter enable and type in your enable password.
4. Execute the following CLI command and capture the output (possibly using the cut and
paste facility):
show run
5. Save the captured output to a file and remove any visible page lines (i.e. –More–).
3 Using Nipper
From the Nipper One main screen select, depending on your device, the “Cisco Security
Appliance (ASA)”, “Cisco Security Appliance (FWSM)” or “Cisco Security Appliance (PIX)”
device type from the drop down list. Select your configuration file, in the screenshot below the
configuration was saved in a file called myconfig.txt.
Once you are ready, click the “Go” button and the security audit will be performed and a report
will be shown on your screen.
You can specify that the configuration file is from a Cisco Security Appliances using the -asa,
-fwsm or -pix command line options. For example if your configuration was saved in a file
called myconfig.txt, you could generate a report using the following commands:
For ASA devices:
nipper --asa --input=myconfig.txt --output=myreport.html
For FWSM devices:
nipper --fwsm --input=myconfig.txt --output=myreport.html
For PIX devices:
nipper --pix --input=myconfig.txt --output=myreport.html
4 Support
4.1 On-Line
The Titania web site (http://www.titania.co.uk) has a support section that includes
documentation, updates, frequently asked questions (FAQ), forums and more. If you have
any feature requests or identify any bugs, these can be added to the Titania Bugzilla system.
You will then be notified by email of any changes made to your entries or those that you are
monitoring.