Cisco PIX/ASA Security Appliance: How to Configure Banners

Cisco PIX/ASA Security Appliance: How to Configure Banners Banners can be configured to display when a user first connects (MOTD), when a user logs in (login), or when a user accesses privileged mode (exec). Banners are used for legal warnings such as when a user is cautioned not to access a restricted system or that their access of a system is subject to monitoring and logging. Banners are also used on locked systems placed at customer locations by service providers to provide contact information for device access or technical support. The Cisco security appliance supports the use of login banners in console sessions and Telnet sessions, but not in SSH sessions. Exec and MOTD banners are supported in console, Telnet, and SSH sessions. Banners can be up to 510 characters in length. You can create multiple line banners either by creating multiple banner statements or by using the keystroke sequence of "\n" which inserts a carriage return.

Here's how banners are displayed:

MOTD Banners--When usernames are not configured, MOTD displays at login in a serial console session and before login in Telnet sessions. When usernames are configured, MOTD displays before login in a Telnet session and after login in a serial console session.

Login Banners--The login banner displays before login in Telnet and serial console sessions.

Exec Banners--The exec banner displays upon login in all sessions.

How to Configure a Banner

Note: The following procedures were tested on an ASA 5505 Security Appliance running software version 7.22. Other hardware or software platforms may require modification of these procedures in order to function properly.

To configure a banner, use the following configuration mode commands:

asa(config)#banner motd This is a restricted system. asa(config)#banner motd Do not attempt unauthorized access.

Notice the use of two banner motd statements to create a multi-line banner. As mentioned previously, you can also use the "\n" key sequence to insert a carriage return.

You can view the banners you created with the following privileged mode command:

asa#show running-config banner

Hands-On Exercise: Creating Banners on the Security Appliance

The following procedures are for training purposes only and should only be performed on devices in a laboratory environment. Under no circumstances should these procedures be performed on equipment in a live, production environment without first verifying their suitability in a laboratory environment.

In the following hands-on exercise, you will create MOTD, login, and EXEC banners.

Step 1: In configuration mode, enter the following commands:

asa(config)#banner motd This is the MOTD banner asa(config)#banner login This is the login banner asa(config)#banner exec This is the EXEC banner

Step 2: Display the banners you just created with the following command:

asa(config)#show running-config banner

Step 3: Type exit repeatedly until you are logged out of your laboratory security appliance.

Notice which banners are displayed.

Step 4: Enter privileged mode with the command "enable" and notice which banners are displayed.

Step 5: From your laboratory computer, start a Telnet session and again observe which banners are displayed. When you are finished, exit the Telnet session.

Step 6: Also from your laboratory computer, start an SSH session and again observe which banners are displayed. When you are finished, exit the SSH session.

Note: The above procedures are similar to the procedures used to configure banners on other Cisco devices including routers.

About the Author:

Visit www.soundtraining.net to learn more about soundtraining.net's business skills training programs for IT professionals, plus accelerated technical training programs for IT professionals in the areas of Cisco, Microsoft, and Linux products. To learn more about soundtraining.net's Two-Day Cisco PIX/ASA Firewall hands-on seminar, visit www.soundtraining.net/onlinestore/categories/category 34.html