of 42

PIX Firewall Site to Site VPN

Published on February 2017 | Categories: Documents | Downloads: 13 | Comments: 0
70 views

Comments

Content

Quick Start Guide

Cisco PIX 515E Security Appliance Quick Start Guide
1 2 3 4 5 Verifying the Package Contents Installing the PIX 515E Security Appliance Configuring the Security Appliance Common Configuration Scenarios Optional Maintenance and Upgrade Procedures

About the Cisco PIX 515E Security Appliance

PIX Firewall
POWER ACT NETWORK

SERIES

The Cisco PIX 515E security appliance delivers enterprise-class security for small-to-medium businesses and enterprise networks in a modular, purpose-built security appliance. Ranging from compact, “plug-and-play” desktop appliances for small and home offices to carrier-class gigabit appliances for the most demanding enterprise and service-provider environments, Cisco PIX security appliances provide robust security, performance, and reliability for network environments of all sizes. Part of the market-leading Cisco PIX 500 series, the Cisco PIX 515E security appliance provides a wide range of integrated security services, hardware VPN acceleration, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.

About this document
This document describes how to install and configure the security appliance for use in a VPN or DMZ deployment. When you have completed the procedures outlined in this document, the security appliance will be running a basic VPN or DMZ configuration. The document provides only enough information to get the security appliance up and running with a basic configuration. For more information, refer to the following documentation: • Cisco PIX Security Appliance Release Notes • Cisco PIX Security Appliance Hardware Installation Guide • Cisco Security Appliance Command Line Configuration Guide • Cisco Security Appliance Command Reference • Cisco Security Appliance System Log Messages You can find these documents online at this URL: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/index.htm

2

132235

1 Verifying the Package Contents
Verify the contents of the packing box to ensure that you have received all items necessary to install and configure your PIX 515E security appliance.

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

100 Mbps Link

FDX

100 Mbps Link

FDX

FAILOVER

10/100 ETHERNET 1

10/100 ETHERNET 0

CONSOLE

PIX 515E

PIX-515E

Blue console cable (72-1259-01)

PC terminal adapter (74-0495-01) Yellow Ethernet cable (72-1482-01)

Failover serial cable (74-1213-01)

Mounting brackets (700-01170-02 AO SSI-3)

7 flathead screws (69-0123-01) Power cable

4 cap screws (69-0124-01)
Ge PI tti X Gung S515E ide tart ed

4 spacers (69-0125-01)

d an e ty ns an ce rr Li a r W se re U a w nd ft E So

CoSafe m t Gu pliay an ide nc d e

Rubber feet

Documentation

97955

S ce IX n P lia co pp D is A C C ity ct u ur od ec Pr

3

2 Installing the PIX 515E Security Appliance
This section describes how to install your PIX 515E security appliance into your own network, which might resemble the model in Figure 1.
Figure 1 Sample Network Layout

DMZ server

Switch DMZ

PIX 515E

Switch

Inside Outside Power cable

Laptop computer

Router

Internet Printer Personal computer
97998

To install the PIX 515E security appliance, complete these steps: Step 1 Mount the chassis in a rack by performing the following steps: a. Attach the brackets to the chassis with the supplied screws. The brackets attach to the holes near the front of the chassis. b. Attach the chassis to the equipment rack. Step 2 Step 3 Step 4 Step 5 Use one of the provided yellow Ethernet cables (72-1482-01) to connect the outside 10/100 Ethernet interface, Ethernet 0, to a DSL modem, cable modem, router, or switch. Use the other provided yellow Ethernet cable (72-1482-01) to connect the inside 10/100 Ethernet interface, Ethernet 1, to a switch or hub. Connect one end of the power cable to the rear of the PIX 515E security appliance and the other end to a power outlet. Power up the PIX 515E security appliance. The power switch is located at the rear of the chassis.

4

3 Configuring the Security Appliance
This section describes the initial security appliance configuration. You can perform the setup steps using either the browser-based Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). To run the ASDM, you must have a DES license or a 3DES-AES license.

Note

About the Factory Default Configuration
Cisco security appliances are shipped with a factory-default configuration that enables quick startup. This configuration meets the needs of most small and medium business networking environments. By default, the security appliance is configured as follows: • The inside interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the security appliance in order to connect to the appliance. Administrators can then configure and manage the security appliance using ASDM. • The outbound interface is configured to deny all inbound traffic through the outside interface. This configuration protects your inside network from unsolicited traffic. Based on your network security policy, you should also consider configuring the security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, refer to the Cisco Security Appliance Command Reference.

5

About the Adaptive Security Device Manager
The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the security appliance. Its secure, web-based design provides secure access so that you can connect to and manage the security appliance from any location by using a web browser. In addition to complete configuration and management capability, ASDM features intelligent wizards to simplify and accelerate security appliance deployment. To run ASDM, you must have a DES license or a 3DES-AES license. Additionally, Java and JavaScript must be enabled in your web browser.

About Configuration from the Command-Line Interface
In addition to the ASDM web configuration tool, you can configure the security appliance by using the command-line interface. For more information, refer to the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference.

Using the Startup Wizard
ASDM includes a Startup Wizard to simplify the initial configuration of your security appliance. With a few steps, the Startup Wizard enables you to configure the security appliance so that it allows packets to flow securely between the inside network and the outside network. Before you launch the Startup Wizard, have the following information available: • A unique hostname to identify the security appliance on your network. • The IP addresses of your outside interface, inside interface, and other interfaces. • The IP addresses to use for NAT or PAT configuration. • The IP address range for the DHCP server.

6

To use the Startup Wizard to set up a simplified basic configuration on the security appliance, follow these steps: Step 1 If you have not already done so, connect the inside Ethernet 1 interface of the security appliance to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the security appliance. Configure your PC to use DHCP (to receive an IP address automatically from the security appliance), or assign a static IP address to your PC by selecting an address out of the 192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.) The inside interface of the security appliance is assigned 192.168.1.1 by default, so this address is unavailable.

Step 2

Note

Step 3

Check the LINK LED on the Ethernet 1 interface. When a connection is established, the LINK LED on the Ethernet 1 interface of the security appliance and the corresponding LINK LED on the switch or hub will become solid green. Launch the Startup Wizard. a. On the PC connected to the switch or hub, launch an Internet browser. b. In the address field of the browser, enter this URL: https://192.168.1.1/. The security appliance ships with a default IP address of 192.168.1.1. Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.

Step 4

Note

Step 5 Step 6 Step 7 Step 8

In the popup window that requires a username and password, leave both fields empty. Press Enter. Click Yes to accept certificates. Click Yes for any subsequent certificates or authentication requests. After ASDM starts, choose the Wizards menu, then choose Startup Wizard. Follow the instructions in the Startup Wizard to set up your security appliance. For information about any field in the Startup Wizard, click the Help button at the bottom of the window.

7

4 Common Configuration Scenarios
This section provides configuration examples for two common security appliance configuration scenarios: • Hosting a web server on a DMZ network • Establishing a site-to-site VPN connection with other business partners or remote offices Use these scenarios as a guide when you set up your network. Substitute your own network addresses and apply additional policies as needed.

Scenario 1: DMZ Configuration
A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside) network and a public (outside) network. This scenario is a sample network topology that is common to most DMZ implementations that use the security appliance. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks are able to access the web server securely. In the Figure 2, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool of addresses between 30.30.30.50 and 30.30.30.60. (The IP pool is the range of IP addresses available to the DMZ interface.)
Figure 2 Network Layout for DMZ Configuration Scenario

HTTP client Inside 10.10.10.0 10.10.10.10

PIX 515E Outside 209.165.156.10 DMZ 30.30.30.0 Internet HTTP client

HTTP client

Web server 30.30.30.30

8

97999

Because the DMZ web server is located on a private DMZ network, it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to have HTTP access to the DMZ web server in the same way the clients would access any server on the Internet. This DMZ configuration scenario, shown in Figure 2, provides two routable IP addresses that are publicly available: one for the outside interface (209.165.156.10) and one for the translated DMZ web server (209.165.156.11). The following procedure describes how to use ASDM to configure the security appliance for secure communications between HTTP clients and the web server. In this DMZ scenario, the security appliance already has an outside interface configured, called dmz. Set up the security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50).

Information to Have Available
• Internal IP addresses of the servers inside the DMZ that you want to make available to clients on the public network (in this scenario, a web server). • External IP addresses to be used for servers inside the DMZ. (Clients on the public network will use the external IP address to access the server inside the DMZ.) • Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.)

Step 1: Configure IP Pools for Network Translations
For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define a pool of IP addresses (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.156.10) is required for the inside HTTP client to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and to facilitate secure communications between protected network clients and devices on the Internet. 1. Launch ASDM by entering this factory default IP address in the address field of a web browser: https://192.168.1.1. 2. Click the Configuration button at the top of the ASDM window. 3. Choose the NAT feature on the left side of the ASDM window.

9

4. Click the Manage Pools button at the bottom of the ASDM window. The Manage Global Address Pools window appears, allowing you to add or edit global address pools.

Note

For most configurations, global pools are added to the less secure, or public, interfaces.

5. In the Manage Global Address Pools window: a. Choose the dmz interface. b. Click the Add button.

The Add Global Pool Item window appears.

10

6. In the Add Global Pool Item window: a. Choose dmz from the Interface drop-down menu. b. Click the Range radio button to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is 30.30.30.50 to 30.30.30.60. d. Enter a unique Pool ID. (For this scenario, the Pool ID is 200.) e. Click the OK button to go back to the Manage Global Address Pools window. You can also choose Port Address Translation (PAT) or Port Address Translation (PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.

Note

7. In the Manage Global Address Pools window: a. Choose the outside interface. b. Click the Add button. The Add Global Pool Item window appears.

11

8. When the Add Global Pool Item window appears: a. Choose outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as you did in Step 6d above. (For this scenario, the Pool ID is 200.) d. Click the OK button. The configuration should be similar to the following: 9. Confirm that the configuration values are correct, then: a. Click the OK button. b. Click the Apply button in the main window. Because there are only two public IP addresses available, with one reserved for the DMZ server, all traffic initiated by the inside HTTP client exits the security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.

Note

12

Step 2: Configure Address Translations on Private Networks
Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two security appliance interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing through the public networks. Port Address Translation (PAT) is an extension of the NAT function that allows several hosts on the private networks to map into a single IP address on the public network. PAT is essential for small and medium businesses that have a limited number of public IP addresses available to them. To configure NAT between the inside interface and the DMZ interface for the inside HTTP client, complete the following steps starting from the main ASDM page: 1. Click the Configuration button at the top of the ASDM window. 2. Choose the NAT feature on the left side of the ASDM window. 3. Click the Translation Rules radio button, and then click the Add button at the right side of the ASDM page. The Add Address Translation Rule window appears. 4. In the Add Address Translation Rule window, make sure that the Use NAT radio button is selected, and then choose the inside interface from the drop-down menu.

13

5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10. 6. Choose 255.255.255.255 from the Mask drop-down menu. 7. Choose the DMZ interface from the Translate Address on Interface drop-down menu. 8. Click the Dynamic radio button in the Translate Address To to section. 9. Choose 200 from the Address Pools drop-down menu for the appropriate Pool ID. 10. Click the OK button. 11. A pop-up window displays asking if you want to proceed. Click the Proceed button. 12. On the NAT Translation Rules page, verify that the displayed configuration is accurate. 13. Click the Apply button to complete the configuration changes. The configuration should display as follows:

14

Step 3: Configure External Identity for the DMZ Web Server
The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration requires translating the web server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the security appliance. Complete the following steps to map the web server IP address (30.30.30.30) statically to a public IP address (209.165.156.11): 1. Click the Configuration button at the top of the ASDM window. Then choose the NAT feature on the left side of the ASDM window. 2. Click the Translation Rules radio button. Then click the Add button at the right side of the page. 3. Choose the outside dmz interface from the drop-down menu of interfaces. 4. Enter the IP address (30.30.30.30) of the web server, or click the Browse button to select the server. 5. Choose 255.255.255.255 from the Mask drop-down menu. Then click the Static radio button. 6. Enter the external IP address (209.165.156.11) for the web server. The Advanced button allows you to configure features such as limiting the number of connections per static entry and DNS rewrites. Then click the OK button. 7. Verify the values that you entered. Then click the Apply button. The configuration should display as follows:

15

Step 4: Provide HTTP Access to the DMZ Web Server
By default, the security appliance denies all traffic coming in from the public network. You must create access control rules on the security appliance to allow specific traffic types from the public network through the security appliance to resources in the DMZ. To configure an access control rule that allows HTTP traffic through the security appliance so that any client on the Internet can access a web server inside the DMZ, complete the following steps: 1. In the ASDM window: c. Click the Configuration button. d. Choose the Security Policy button on the left side of the ASDM screen. e. In the table, choose Add. 2. In the Add Rule window: a. Under Action, choose permit from the drop-down menu to allow traffic through the security appliance. b. Under Source Host/Network, click the IP Address radio button. c. Choose outside from the Interface drop-down menu. d. Enter the IP address of the Source Host/Network information. (Use 0.0.0.0 to allow traffic originating from any host or network.) e. Under Destination Host/Network, click the IP Address radio button. f. Choose the dmz interface from the Interface drop-down menu. g. In the IP address field, enter the IP address of the destination host or network, such as a web server. (In this scenario, the IP address of the web server is 30.30.30.30.) h. Choose 255.255.255.255 from the Mask drop-down menu. Alternatively, you can select the Hosts/Networks in both cases by clicking the respective Browse buttons.

Note

16

3. Specify the type of traffic that you want to permit: HTTP traffic is always directed from any TCP source port number toward a fixed destination TCP port number 80.

Note

a. Click the TCP radio button under Protocol and Service. b. Under Source Port, choose “=” (equal to) from the Service drop-down menu. c. Click the button labeled with ellipses (...), scroll through the options, and choose Any. d. Under Destination Port, choose “=” (equal to) from the Service drop-down menu. e. Click the button labeled with ellipses (...), scroll through the options, and select HTTP.

17

f. Click the OK button. For additional features, such as system log messages by ACL, click the More Options radio button at the top at the top of the screen. You can provide a name for the access rule in the window at the bottom.

Note

g. Verify that the information you entered is accurate, and click the OK button. Although the destination address specified above is the private address of the DMZ web server (30.30.30.30), HTTP traffic from any host on the Internet destined for 209.165.156.11 is permitted through the security appliance. The address translation (30.30.30.30 = 209.165.156.11) allows the traffic to be permitted.

Note

h. Click the Apply button in the main window. The configurations should display as follows:

The HTTP clients on the private and public networks can now securely access the DMZ web server.

18

Scenario 2: Site-to-Site VPN Configuration
Site-to-site VPN (Virtual Private Networking) features provided by the security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or “tunnel,” first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites. Figure 3 shows an example VPN tunnel between two security appliances.
Figure 3 Network Layout for Site-to-Site VPN Configuration Scenario

Site A PIX security appliance 1 Inside 10.10.10.0 Outside 1.1.1.1 Internet PIX security appliance 2 Outside 2.2.2.2 Inside 20.20.20.0

Site B

Creating a VPN connection such as the one in the above illustration requires you to configure two security appliances, one on each side of the connection. ASDM provides an easy-to-use configuration wizard to guide you quickly through the process of configuring a site-to-site VPN in a few simple steps.

Step 1: Configure the PIX security appliance at the first site.
Configure the security appliance at the first site, which in this scenario is PIX security appliance 1 (from this point forward referred to as PIX 1). 1. Launch ASDM by entering the factory default IP address in the address field of a web browser: https://192.168.1.1/admin. 2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard page.

132067

19

In the first VPN Wizard page, do the following: a. Choose the Site-to-Site VPN option. The Site-to-Site VPN option connects two IPSec security gateways, which can include security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.

Note

b. From the drop-down menu, choose outside as the enabled interface for the current VPN tunnel. c. Click the Next button to continue.

20

Step 2: Provide information about the VPN peer.
The VPN peer is the system on the other end of the connection, usually at a remote site. Provide information about the VPN peer. In this scenario, the VPN peer is PIX security appliance 2 (from this point forward referred to as PIX 2). 1. Enter the Peer IP address (for PIX 2) and a tunnel group name. 2. Specify the type of authentication that you want to use by performing one of the following:
– To use a pre-shared key for authentication (for example, “CisCo”), click the Pre-Shared Key

radio button, and enter a pre-shared key, which is shared for IPSec negotiations between both security appliances. When you configure the PIX 2 at the remote site, the VPN peer is PIX 1. Be sure to enter the same Pre-shared Key (CisCo) that you use here.

Note

– To use digital certificates for authentication, click the Certificate radio button, and then

choose a Trustpoint Name from the drop-down menu. 3. Click the Next button to continue.

21

Step 3: Configure the IKE Policy
IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy, and an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers. To specify the IKE policy, complete the following steps: 1. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the security appliance during an IKE security association. When configuring PIX 2, enter the exact values for each of the options that you chose for PIX 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

Note

2. Click the Next button to continue.

22

Step 4: Configure IPSec Encryption and Authentication parameters
1. Choose the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). 2. Click the Next button to continue.

Step 5: Specify Local Hosts and Networks
Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with the remote-site peers. (The remote-site peers will be specified in a later step.) Add or remove hosts and networks dynamically from the Selected panel by clicking on the >> or << buttons respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by SA 1 and transmitted through the VPN tunnel.

23

To specify a local host or network to be allowed access to the IPSec tunnel, complete the following steps: 1. Click IP Address. 2. Specify whether the interface is inside or outside by choosing one of the interfaces from the drop-down menu. 3. Enter the IP address and mask. 4. Click Add. 5. Repeat steps 1 through step 5 for each host or network that you want to have access to the tunnel. 6. Click the Next button to continue.

Step 6: Specify Remote Hosts and Networks
Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate with the local hosts and networks you identified in Step 5. Add or remove hosts and networks dynamically from the Selected panel by clicking on the >> or << buttons respectively. In the current scenario, for PIX 1, the remote network is Network B (20.20.20.0), so traffic encrypted from this network is permitted through the tunnel.
24

To specify a remote host or network to be allowed access to the IPSec tunnel, complete the following steps: 1. Click IP Address. 2. Specify whether the interface is inside or outside by choosing one location from the Interface drop-down menu. 3. Enter the IP address and mask. 4. Click Add. 5. Repeat step 1 through step 5 for each host or network that you want to have access to the tunnel. 6. Click the Next button to continue. When configuring PIX 2, ensure that the values are correctly entered. The remote network for PIX 1 is the local network for PIX 2, and the reverse.

Note

25

Step 7: View VPN Attributes and Complete Wizard
Review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to complete the Wizard and apply the configuration changes to the security appliance.

Note

When configuring PIX 2, enter the same values for each of the options that you selected for PIX 1. Encryption and algorithm mismatches are a common cause of VPN tunnel failures and can slow down the process.

This concludes the configuration process for PIX 1.

26

What to Do Next
You have just configured the local security appliance. Now you need to configure the security appliance at the remote site. At the remote site, configure the second security appliance to serve as a VPN peer. Use the procedure you used to configure the local security appliance, starting at Step 1: Configure the PIX security appliance at the first site on page 19, and finishing with Step 7: View VPN Attributes and Complete Wizard on page 26. When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1. Mismatches are a common cause of VPN configuration failures.

Note

5 Optional Maintenance and Upgrade Procedures
Obtaining DES and 3DES/AES Encryption Licenses
The security appliance offers the option to purchase a DES or 3DES-AES license to enable specific features that provide encryption technology, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. Enabling the license requires an encryption license key. If you ordered your security appliance with a DES or 3DES-AES license, the encryption license key comes with the security appliance. If you did not order your security appliance with a DES or 3DES-AES license and would like to purchase one now, the encryption licenses are available at no charge on Cisco.com. If you are a registered user of Cisco.com and would like to obtain a DES or 3DES/AES encryption license, go to the following website: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl If you are not a registered user of Cisco.com, go to the following website: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl Provide your name, e-mail address, and the serial number for the security appliance as it appears in the show version command output. You will receive the new activation key for your security appliance within two hours (or less) on requesting the license upgrade.

Note

27

To use the activation key, follow these steps:

Command
Step 1 Step 2 Step 3

Purpose
Shows the software release, hardware configuration, license key, and related uptime data. Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license. The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e. The “0x” is optional; all values are assumed to be hexadecimal. Exits global configuration mode. Saves the configuration.

pix# show version

pix# configure terminal Enters global configuration mode. pix(config)#

activation-key activation-5-tuple-key

Step 4 Step 5

pix(config)# exit

pix# copy running-config startup-config pix# reload

Step 6

Reboots the security appliance and reloads the configuration.

Restoring the Default Configuration
You can restore your configuration back to the factory default values in one of the following ways: • You can start the Startup Wizard at this URL: https://192.168.1.1/. • Using the command line as specified in the following procedure. To restore your default configuration back to the factory-default values, follow these steps:

Command
Step 1 Step 2 Step 3

Purpose
Accesses privileged EXEC mode. Enter password. Accesses global configuration mode.

hostname> enable Password: hostname# configure terminal

28

Command
Step 4

Purpose

hostname(config)# configure Erases the running configuration and replaces it with factory-default [inside_ip_address the factory default configuration. Entering the [address_mask]]1 configure factory-default command erases the current running configuration. hostname(config)# write memory Writes the factory default configuration to Flash memory.
1. If the optional inside IP address and address mask are specified, the factory-default configuration reflects that.

Step 5

Alternative Ways to Access the Security Appliance
You can access the CLI for administration using the console port on the security appliance. To do so, you must run a serial terminal emulator on a PC or workstation . To set up your system so that you can administer the security appliance from the command line using the console port, follow these steps: Step 1 Connect the blue console cable so that you have a DB-9 connector on one end, as required by the serial port for your computer, and the RJ-45 connector on the other end. Use the console port to connect to a computer to enter configuration commands. Locate the blue console cable from the accessory kit. The blue console cable assembly consists of a null-modem cable with RJ-45 connectors and a DB-9 connector.

Note

Step 2

Connect the RJ-45 connector to the PIX 515E security appliance console port, and connect the other end to the serial port connector on your computer. (See Figure 4.)

29

Figure 4

Cisco PIX Security Appliance Back Panel

100 Mbps Link

FDX

FAILOVER

10/100 ETHERNET 0/0

CONSOLE

Console port (RJ-45) RJ-45 to DB-9 serial cable (null-modem) PC terminal adapter DB-9

PIX-515

• If your PIX 515E security appliance has a four-port Ethernet circuit board already installed, the Ethernet circuit boards are numbered as shown in Figure 5. The four-port Ethernet circuit board is required to access the PIX 515E security appliance unrestricted license.
Figure 5 Four-Port Ethernet Circuit Board

Ethernet 5 Ethernet 3

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

100 Mbps Link

FDX

100 Mbps Link

FDX

FAILOVER

10/100 ETHERNET 0/0

10/100 ETHERNET 0/0

CONSOLE

Ethernet 0

• If your PIX 515E security appliance has one or two single-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit at the rear, the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3.

30

99544

Ethernet 2 Ethernet 4

Ethernet 1

PIX-515

99547

Figure 6

Ethernet Circuit Boards Installed in Auxiliary Assembly

Ethernet 2

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

100 Mbps Link

FDX

100 Mbps Link

FDX

FAILOVER

10/100 ETHERNET 0/0

10/100 ETHERNET 0/0

CONSOLE

Ethernet 0

Note

If you need to install an optional circuit board, refer to the “Installing a Circuit Board in the PIX 515E” section in the Cisco PIX Security Appliance Hardware Installation Guide.

If you have a second PIX 515E security appliance to use as a failover unit, install the failover feature and cable as described in the “Installing Failover” section in the Cisco PIX Security Appliance Hardware Installation Guide. Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license. Do not add a single-port circuit board in the extra slot below the four-port circuit board because the maximum number of allowed interfaces is six.

Note

Step 4

Power on the unit from the switch at the rear to start the PIX 515E security appliance. Do not power on the failover units until the active unit is configured.

99545

Ethernet 3

Ethernet 1

PIX-515

31

Checking the LEDs

POWER

ACT

NETWORK
97779

Table 1

PIX 515E Security Appliance Front Panel LEDs

LED
POWER ACT

Color
Green Green

State
On On Off

Description
On when the unit has power. On when the unit is the active failover unit. If failover is present, the light is on when the unit is the active unit. Off when the unit is in standby mode. If failover is not enabled, this light is off.

NETWORK Green
Figure 7

Flashing On when at least one network interface is passing traffic.

PIX 515E Security Appliance Front Panel LEDs

100 Mbps LED ACT LED
DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

100 Mbps LED LINK ACT LED LED

USB LINK LED

100 Mbps ACT

LINK

100 Mbps ACT

FAILOVER LINK

10/100 ETHERNET 0

USB

CONSOLE

10/100BaseTX ETHERNET 1 (RJ-45)

10/100BaseTX Console Power switch ETHERNET 0 port (RJ-45) (RJ-45)

32

97784

10/100 ETHERNET 1

PIX-515

Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com
You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml

33

Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace. Cisco Ordering tool: http://www.cisco.com/en/US/partner/ordering/ Cisco Marketplace: http://www.cisco.com/go/marketplace/

Ordering Documentation
You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/ • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback
You can send comments about technical documentation to [email protected] You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.

34

Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks: • Report security vulnerabilities in Cisco products. • Obtain assistance with security incidents that involve Cisco products. • Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT: • Emergencies — [email protected] • Nonemergencies — [email protected] We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list: http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on In an emergency, you can also reach PSIRT by telephone: • 1 877 228-7302 • 1 408 525-6532

Tip

35

Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Note

Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest

36

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ • Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com

37

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet • iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html

38

39

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacific Headquarters Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the

Cisco Website at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Printed in the USA on recycled paper containing 10% postconsumer waste.

78-16824-01 DOC-7816824=

41

42

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close