Using Nipper With Cisco Security Applicances

(ASA, FWSM And PIX)

User Guide
 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

Version Information

Record of Changes
Issue Date Detail of changes
th
1.0 6 July 2009 Initial version

Copyright Titania 2009 Page i

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

Contents
Version Information i
Contents ii
1 Introduction 1
2 Getting The Configuration 2
2.1 Using ASDM And PDM 2
2.2 Using TFTP 3
2.3 Using SSH, Telnet Or The Console 4
3 Using Nipper 5
3.1 Nipper One 5
3.2 Nipper Command Line Tool 5
4 Support 6
4.1 On-Line 6

Copyright Titania 2009 Page ii

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

1 Introduction
This guide is intended to be a device specific supplement to the “Getting Started With Nipper
1.0” user guide. This document specifically focuses on Cisco Security Appliances such as
ASA, FWSM and PIX devices. The guide highlights different methods you can employ in order
to extract the configuration from your Cisco device and then how to use that configuration file
with Nipper to generate a security audit of your device.

Cisco provide a range of detailed technical documents for their devices which can be
downloaded from the Cisco web site at: http://www.cisco.com.

Copyright Titania 2009 Page 1

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

2 Getting The Configuration

There are multiple ways that you can extract the configuration from your Cisco Security
Appliance, this section outlines just three of those.
Your configuration should be treated as sensitive information, just like your personal details
should be considered as sensitive information. For that reason we would recommend that the
configuration should be transfered using an encrypted connection in order to help prevent it
from being leaked. We recommend that you use either ASDM, PDM, SSH or a direct console
connection to the device in order to get the configuration.
More information on extracting your devices configuration can be found in your devices
documentation.

2.1 Using ASDM And PDM

The ASDM and PDM interfaces can be accessed using a web browser with Java capabilities.
Whether you have access to ASDM or PDM will depend on your security appliance (and its
age), but the procedure is the same for both. The procedure for getting the configuration from
the your device is as follows:
1. Using your favorite web browser, connect to the HTTPS service provided by your Cisco
device for remote management. You can do this by entering https:// followed by
your devices IP address.
2. On ADSM-capable devices, click on the “Run ADSM as a Java Applet” button.
3. Logon using your administration username and password.
4. You should now see the ADSM or PDM application, both of which are shown in the
screens below.
5. You can show the “running-config” using the option on the File menu.
6. Copy and paste the configuration into a file to use with Nipper.
Cisco ASDM:

Copyright Titania 2009 Page 2

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

Cisco PDM:

2.2 Using TFTP

We don’t recommend using TFTP to transfer your configuration due to weaknesses in the
protocol, the other methods described in this section are more secure. However, here is the
procedure for using TFTP:
1. Connect to the Cisco device using SSH, Telnet, ASDM, PDM or through a Console
connection.
2. Login to your Cisco PIX device.
3. Transfer the configuration using the TFTP command write net
<ip-address>:<filename>

Copyright Titania 2009 Page 3

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

2.3 Using SSH, Telnet Or The Console

For this procedure you will be using the Command Line Interface (CLI) of your Cisco device
using an SSH client (such as OpenSSH or Putty), Telnet or through the console port. We
would recommend using either SSH (for remote connections) or using a direct connection to
the console port. Telnet provides no encryption of the communications and therefore your
authentication credentials and configuration would be vulnerable if a malicious user were to
monitor your connection.
Use the following procedure to obtain a copy of the configuration file:
1. Connect to the Cisco using your favorite SSH client, Telnet or a direct console
connection.
2. Logon using your administration authentication credentials.
3. Enter enable and type in your enable password.
4. Execute the following CLI command and capture the output (possibly using the cut and
paste facility):
show run
5. Save the captured output to a file and remove any visible page lines (i.e. –More–).

Copyright Titania 2009 Page 4

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

3 Using Nipper

3.1 Nipper One

From the Nipper One main screen select, depending on your device, the “Cisco Security
Appliance (ASA)”, “Cisco Security Appliance (FWSM)” or “Cisco Security Appliance (PIX)”
device type from the drop down list. Select your configuration file, in the screenshot below the
configuration was saved in a file called myconfig.txt.

Once you are ready, click the “Go” button and the security audit will be performed and a report
will be shown on your screen.

3.2 Nipper Command Line Tool

You can specify that the configuration file is from a Cisco Security Appliances using the -asa,
-fwsm or -pix command line options. For example if your configuration was saved in a file
called myconfig.txt, you could generate a report using the following commands:
For ASA devices:
nipper --asa --input=myconfig.txt --output=myreport.html
For FWSM devices:
nipper --fwsm --input=myconfig.txt --output=myreport.html
For PIX devices:
nipper --pix --input=myconfig.txt --output=myreport.html

Copyright Titania 2009 Page 5

 Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)

4 Support

4.1 On-Line

The Titania web site (http://www.titania.co.uk) has a support section that includes
documentation, updates, frequently asked questions (FAQ), forums and more. If you have
any feature requests or identify any bugs, these can be added to the Titania Bugzilla system.
You will then be notified by email of any changes made to your entries or those that you are
monitoring.

Copyright Titania 2009 Page 6