Quick Start Guide Cisco PIX 515E Firewall 1 Check Items Included 2 Install the PIX 515E 3 Configure the PIX 515E 4 Example Configurations 5 Optional Maintenance and Upgrade Procedures
About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for small-to-medium business and enterprise networks, in a modular, purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 6 10/100 Fast Ethernet interfaces, making it an excellent choice for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support.
1 Check Items Included 100 Mbps Link PIX-515E DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED FDX 10/100 ETHERNET 1 100 Mbps Link FAILOVER FDX 10/100 ETHERNET 0 CONSOLE PIX 515E Blue console cable (72-1259-01) PC terminal adapter (74-0495-01) Yellow Ethernet cable (72-1482-01) Mounting brackets (700-01170-02 AO SSI-3) Failover serial cable (74-1213-01) 7 flathead screws (69-0123-01) 4 cap screws (69-0124-01) S Ge PI tti X Gung S515E ide tart ed 97955 ce IX n P lia co pp D is A C C ity
2 Install the PIX 515E DMZ server PIX 515E Switch DMZ Switch Inside Outside Power cable Router Laptop computer 97998 Internet Printer Personal computer Follow these steps to install the PIX 515E: Step 1 Install the rubber feet onto the five, round, recessed areas on the bottom of the chassis. Note The chassis is also rack-mountable. For rack-mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Installation Guide.
3 Configure the PIX 515E The PIX 515E comes with a factory-default configuration that meets the needs of most small and medium business networking environments. A default DHCP server address pool is included for hosts on the inside interface. The factory-default configuration on the PIX 515E protects your inside network from unsolicited traffic. By default, the PIX 515E denies all inbound traffic through the outside interface.
Step 4 To access the Startup Wizard, use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your Internet browser. Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the PIX 515E. Step 5 Leave both the username and password boxes empty. Press Enter. Step 6 Select Yes to accept the certificates and follow the instructions in the Startup Wizard to set up your PIX 515E.
HTTP client PIX 515E 10.10.10.10 Outside 209.165.156.10 Internet DMZ 30.30.30.0 HTTP client HTTP client Web server 30.30.30.30 97999 Inside 10.10.10.0 Step 1 Manage IP Pools for Network Translations For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define an IP pool (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.156.
c. Select the Translation Rules tab. d. Click the Manage Pools button and a new window appears, allowing you to add or edit global address pools. Note For most configurations, global pools are added to the less secure, or public, interfaces. In the Manage Global Address Pools window: a. Select the dmz interface. b. Click the Add button. In the Add Global Pool Item window: a. Select dmz from the Interface drop-down menu.
b. Click the Range radio button to enter the IP address range. c. Because the range of IP addresses for the DMZ interface is 30.30.30.50– 30.30.30.60, enter these values in the two fields. d. Enter a unique Pool ID (in this case, enter 200). e. Click the OK button to go back to the Manage Global Address Pools window. Note You can also select PAT or PAT using the IP address of the interface if there are limited IP addresses available for the DMZ interface.
When the new window comes up: a. Select outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in Step d above (200). d. Click the OK button. Once the pools are configured, confirm their values before applying the rules to the PIX 515E. Confirm the configurations: a. Click the OK button. b. Click the Apply button in the main window.
Step 2 Configure Address Translations on Private Networks Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing between two PIX interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing through the public networks. Port Address Translation (PAT) is an extension of the NAT function that allows several hosts on the private networks to map into a single IP address on the public network.
b. Right click in the gray area below the Manage Pools button and select Add. c. In the new window, select the inside interface. d. Enter the IP address of the client (10.10.10.10). e. Select 255.255.255.255 from the Mask drop-down menu. Note You can select the inside host by clicking on the Browse button. f. Select the DMZ interface on which the translation is required. g. Click the Dynamic radio button in the Translate Address to section. h.
Note Enter the entire network range (10.10.10.0) or select the network using the Browse button and select the Pool ID if there are multiple HTTP clients.
j. Click the OK button. k. Click the Proceed button. Check the displayed configuration for accuracy. l. Click the Apply button to configure the PIX Firewall. Repeat the steps to configure interface PAT between the inside and outside interfaces. The procedure remains the same, except the interface on which the translation is required is now the outside interface and the Dynamic address pool should now indicate the interface PAT keywords.
Step 3 Configure External Identity for the DMZ Web Server The DMZ server is easily accessible by all hosts on the Internet. This configuration requires translating the DMZ server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the firewall. Complete the following steps to map the DMZ IP address (30.30.30.30) statically to a public IP address (209.165.156.11): a. Right click in the gray area under the Translation Rules tab. b. Select Add. c.
The configurations should display as shown below: 16
Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from the public networks. To configure access lists for HTTP traffic originating from any client on the Internet to the DMZ web server, complete the following: a. Click the Configuration button at the top of the PDM window. b. Select the Access rules tab. c. In the table, right click and select Add.
The Edit Rule window opens up, allowing you to select the ACL rules to permit/deny traffic. a. Under Action, select permit from the drop-down menu to allow traffic through the firewall. b. Under Source Host/Network, click the IP Address radio button. c. Select outside from the Interface drop-down menu.
d. Enter the Source Host/Network information (0.0.0.0 for any host or network). e. Under Destination Host/Network, click the IP Address radio button. f. Select dmz from the Interface drop-down menu. g. Enter 30.30.30.30 in the IP address box. h. Select 255.255.255.255 from the Mask drop-down menu. Note Alternatively, you can select the Hosts/Networks in both cases by clicking on the respective Browse buttons.
The configurations should display as shown below: The HTTP clients on the private and public networks can now securely access the DMZ web server. Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet connections to business partners and remote offices worldwide.
PDM provides an easy-to-use VPN Wizard that can quickly guide you through the process of configuring a site-to-site VPN in five simple steps. The illustration below shows an example VPN tunnel between two PIX 515E, and will be referenced in the following steps. Site B Site A PIX 1 Outside 1.1.1.1 Internet Outside 2.2.2.2 Inside 20.20.20.0 98000 Inside 10.10.10.0 PIX 2 Step 1 Start the VPN Wizard Use PDM to configure PIX 1.
Step 2 Configure the VPN Peer a. Enter the Peer IP Address (PIX 2) and select an authentication key (for example,“CisCo”), which is shared for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP address for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). b. To use X.509 certificates for authentication, check the Certificate radio button and the applicable option for the peer identity, FQDN (Fully Qualified Domain Name) or IP Address.
Step 3 Configure the IKE Policy This step is comprised of two windows: 1. Configure the IKE negotiation parameters. In most cases, the default values are sufficient to establish secure VPN tunnels between two peers. a. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the PIX 515E during an IKE security association. Confirm all values before moving to the next window.
2. Configure the IPSec parameters. a. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). Confirm all values before continuing to the next window. Note When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1. Encryption and algorithm mismatches are a common cause of VPN tunnel failures and can slow down the process. b. Click the Next button to continue.
Step 4 Configure Internal Traffic This step is comprised of two windows: 1. Select network traffic on the local PIX 515E encrypted through the VPN tunnel. a. Select the Local Host/Network based on the IP Address, Name, or Group. Note Use the Browse button to select from preconfigured groups. Add or remove networks dynamically from the selected panel by clicking on the >> or << buttons respectively. Traffic from Network A (10.10.10.0) is encrypted by PIX 1 and transmitted through the VPN tunnel. b.
2. Select traffic permitted from the remote PIX Firewall. a. In the second window, select VPN traffic for remote network configuration. For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from this tunnel is permitted through the tunnel. Note When configuring PIX 2, ensure that the values are correctly entered. The remote network for PIX 1 is the local network for PIX 2 and vice versa. b. Click the Finish button to complete the configuration.
Step 5 View and Enable VPN Commands If you enabled preview commands, you will see this page: To enable preview commands: a. In the main PDM page, select Options. b. Select Preferences and check the Preview commands before sending to firewall box. Check the configuration to ensure that all values are entered correctly. Click the Send button to enable PIX 1 for site-to-site VPN communication with PIX 2. This concludes configuration for PIX 1.
Establishing Site-to-Site VPNs with other Cisco Products For information on configuring VPN between a PIX 515E and other products such as a Cisco router that runs Cisco IOS software, and Cisco VPN 3000 Concentrators, go to the following links: http://www.cisco.com/warp/customer/471/pix_router_dyn.html http://www.cisco.com/warp/public/471/ALTIGA_pix.html http://www.cisco.com/warp/public/110/39.
Enter these commands and follow these steps to use the activation key: Command Description Step 1 show version Shows the PIX Firewall software version, hardware configuration, license key, and related uptime data. Step 2 configure terminal Starts configuration mode. Step 3 activation-key Updates the PIX Firewall activation key by replacing the activation-key-four-tuple with the activation key obtained with your new license.
Command Description Step 6 dhcpd lease 3600 Specifies the length of the lease (in seconds) granted to the DHCP client. The lease indicates how long the DHCP client can use the assigned IP address. Step 7 dhcpd ping_timeout 750 Allows the configuration of the timeout value of a ping, (in milliseconds), before assigning an IP address to a DHCP client.
Alternative Ways to Access the PIX 515E You can access the CLI for administration using the console port on the PIX Firewall. To do so, you must run a serial terminal emulator on a PC or workstation. Step 1 Connect the blue console cable so that you have a DB-9 connector on one end as required by the serial port for your computer, and the RJ-45 connector on the other end. Use the console port to connect to a computer to enter configuration commands. Locate the blue console cable from the accessory kit.
Ethernet 5 Ethernet 3 100 Mbps Link PIX-515 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED FDX 10/100 ETHERNET 0/0 FAILOVER FDX 10/100 ETHERNET 0/0 CONSOLE Ethernet 1 99544 Ethernet 2 Ethernet 4 100 Mbps Link Ethernet 0 Ethernet 2 FDX 10/100 ETHERNET 0/0 Ethernet 3 100 Mbps Link FAILOVER FDX 10/100 ETHERNET 0/0 CONSOLE Ethernet 1 Ethernet 0 99545 100 Mbps Link PIX-515 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED • If your PIX 515E has one or two single-port Ethernet circu
Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license. Note Step 4 Do not add a single-port circuit board in the extra slot below the four-port circuit board because the maximum number of allowed interfaces is six. Power on the unit from the switch at the rear to start the PIX 515E.
100 Mbps LED ACT LED 100 Mbps LED LINK ACT LED LED USB LINK LED PIX-515 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED LINK 10/100BaseTX ETHERNET 1 (RJ-45) Table 2 FAILOVER 100 Mbps ACT 10/100 ETHERNET 1 LINK 10/100 ETHERNET 0 USB CONSOLE 97784 100 Mbps ACT 10/100BaseTX Console Power switch ETHERNET 0 port (RJ-45) (RJ-45) PIX 515E Real Panel LEDs LED Color Status Description 100 Mbps Green On 100-Mbps 100BaseTX communication.
6 Obtaining Documentation Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com International Cisco websites can be accessed from this URL: http://www.cisco.
You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Opening a TAC Case Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.
9 Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.