Cisco Systems PIX515E manual

Quick Start Guide Cisco PIX 515E Firewall 1 Chec k Items Included 2 Install the PIX 515E 3 Configure the PIX 51 5E 4 Example Configurations 5 Optional Maintenance and Upgrade P rocedures[...]

2 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers en terprise-class security for small-to-medium business and enterprise networks, in a modular , purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 6 10/100 Fast Ethernet interfaces, making it a n excellent choice for businesses requiring a cost-effective, [...]

3 1 Check Items Included End User License and Software Warranty PIX 515E Getting Started Guide Safety and Compliance Guide PIX 515E PC terminal adapter (74-0495-01) Documentation Blue console cable (72-1259-01) Y ellow Ethernet cable (72-1482-01) Cisco PIX Security Appliance Product CD DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED L in k F D X [...]

4 2 Install the PIX 515E Follow these steps to install the PIX 515E: Step 1 Install th e rubber feet onto the five, round, recessed ar eas on the bottom of the chassis . Note The chassis is also rack-mountable. For rack -mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Installation Guide . Step 2 Use the yellow Ethernet [...]

5 3 Configure the PIX 515E The PIX 515E comes with a factory-default configur ation that meets the needs of most small and me d iu m bu s i ne s s networking environments. A defaul t DHCP server address pool is included for hosts on th e i ns id e in te rf ac e. The factory-default configur ation on the PIX 515E protects you r inside network from u[...]

6 Step 4 T o access the Startup Wizard, use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your Internet browser . Note Remember to add the “ s ” in “ https ” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between y our browser and the PIX 515E. Step 5 Leave both th[...]

7 Step 1 Manage IP Pools fo r Network Translations For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define an IP pool (30.30.30.50–30. 30.30.60) for the DMZ interface. Similarly , an IP pool for the outside interface (209.165.156.10) is requ ired for the inside HTTP client to co[...]

8 c. Select the T ransl ation Rules tab. d. Click the Manage Pools button and a new window appears, all owing you to add or edit global address pools. Note For most configurations, global pools are adde d to the less secure, or public, interfaces. In the Manage Global Address Po ols window: a. Select the dmz interface. b. Click the Add button. In t[...]

9 b. Click the Range radio button to enter the IP address range. c. Because the range o f IP addresses for the DMZ interface i s 30.30.30.50– 30.30.30.60 , enter these values in the two fields. d. Enter a unique Pool ID (in this case, enter 200 ). e. Click the OK button to go back to the Man age Global Address Pools window . Note Y ou can also se[...]

10 When the new window comes up: a. Select outside from th e Interface drop-down menu. b. Click the Port Address T ransl ation (P A T) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in Step d a bove (200). d. Click the OK button. Once the pools are configured, confirm their values before applying the[...]

11 Step 2 Configure Address Trans lations on Private Networks Network Address T ranslation (NA T) replaces the so urce IP ad dresses of network traffic traversing between two PIX interfaces. This tr anslation prevents the private address space s from being exposed on public networ ks and permits routing through t he public networks. Port Addre ss T[...]

12 b. Right click in the gray area below the Manage Pools button a nd select Add . c. In the new window , select the inside interface. d. Enter the IP address of the client (10.10.10.10). e. Select 255.255.255.255 from the Mask drop-down menu. Note Y ou can sele ct the inside host by clicking on the Browse bu tton. f. Select the DMZ interface on wh[...]

13 Note Enter the entire network range (10.10.10.0) or select the network using the Browse button and select the Pool ID if there are multiple HTTP clients.[...]

14 j. Click the OK button. k. Click the Proceed button. Check the displayed configu ration for accuracy . l. Click the Apply butt on to configure the PIX Firewall. Repeat the steps to configure inte rface P A T between the inside and outside interfaces. T he procedure remains the same, except the interface on whic h the translation is required is n[...]

15 Step 3 Configure Ext ernal Identity for the DMZ Web Server The DMZ server is easily accessible by al l hosts on the Internet. This configuration requires tran slating the DMZ server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the firewall. Complete the following steps to map [...]

16 The configurations should display as show n below:[...]

17 Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from the public networks. T o configure access lists for HTTP tra ffic originating from any client on the Internet to the DMZ web server , complete the following: a. Click the Confi[...]

18 The Edit Rule window opens up, allowin g you to select the ACL rules to permit/deny traffic. a. Under Action, select permit from the drop-down menu to allow traffic throu gh the firewall. b. Under Source Host/Network, click the IP Address radio button. c. Select outsid e from th e Interface drop-down menu.[...]

19 d. Enter the Source Host/Network information (0.0.0.0 for any host or network). e. Under Destination Host/Network, click th e IP Address radio button. f. Select dmz from the Interface drop-down menu. g. Enter 30.30.30.30 in the IP address box. h. Select 255.255.255.255 from the Mask drop-down menu. Note Alternatively , you can select the Ho sts/[...]

20 The configurations should display as show n below: The HTTP clients on the private and public netw orks can now securely access the DMZ web server . Site-to-Site VPN Configuration Site-to-site VPN (V irtual Private Networking) features provided by the PIX 515E enable businesses to securely exte nd their networ ks across low-co st pub lic Interne[...]

21 PDM provides an easy-to-use VPN Wizard that can quickly guide you through the process of configuring a site-to-site VPN in fi ve simple steps. The illustration below sho ws an example VPN tunnel between two PIX 515E, and will be referenced in the following steps. Step 1 Start the VPN Wizard Use PDM to configure PIX 1. In the main PDM page, sel e[...]

22 Step 2 Configure the VPN Peer a. Enter the Peer IP Address (PIX 2) and select an authentication key (for example,“CisCo”), which is shared for IPSec negotiations between both PIX 515E units. Note T o configure PIX 2, enter the IP address fo r PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). b. T o use X.509 certificates for authenticatio[...]

23[...]

24 Step 3 Configure the IKE Policy This step is comprised of two windows: 1. Configure the IKE negotiation parameters. In most case s, the defaul t values are suf ficient to establish secure VPN tunnels between two peers. a. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the P[...]

25 2. Configure the IPSec parameters. a. In the second window , select the Encryption algorithm (DES/3D ES/AES) and Authentication algorithm (MD5/SHA). Confirm all values before continuing to the next window . Note When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1. Encryption and algorithm mi sm[...]

26 Step 4 Configure Internal Traffic This step is comprised of two window s: 1. Select network traffic on the local PI X 515E encrypted through the VPN tunnel. a. Select the Local Host/Network based on the IP Address, Name, or Group. Note Use the Browse button to select from preconfigured groups. Add or remove networks dynamically from the selected[...]

27 2. Select traffic permitted fr om the remote PIX Firewall. a. In the second window , select VPN traffic for re mote network configuration. For PIX 1, the remote network is Network B ( 20.20.20.0) so traffic encrypted from this tunnel is permitted through the tunnel. Note When configuring PIX 2, ensure that the va lues are correctly entered. The [...]

28 Step 5 View and Enable VPN Commands If you enabled preview comman ds, you w ill see this page: T o enable preview command s: a. In the main PDM page, select Options. b. Select Preferenc es and check the Preview commands before sending to firewall box. Check the configuration to ensure that all values are entered correctly . Click the Send button[...]

29 Establishing Site-to-Site VP Ns with other Cisco Products For information on configuring VPN between a PIX 515 E and other pro ducts such as a Cisco router that runs Cisco IOS software, and Cisco VPN 30 00 Concentrators, go to the following links: http://www .cisco.com/warp/customer/471/pix_router_dyn.html http://www .cisco.com/warp/public/471/A[...]

30 Enter these commands and follow th ese steps to use the ac tivation key: Restore the Default Configuration T o restore your default configuration back to the factory-default values, enter the fo llowing CLI commands by completing the following steps: Command Description Step 1 show version Shows the PIX Firewall softwa re version, hardware confi[...]

31 Refer to the following website for detailed command information and configu ration examples: http://www .cisco.com/univercd/cc/td/doc/produc t/iaabu/pix/pix_ sw/v_63/cmdref/index.htm The Cisco T AC website is availa ble to all customers who need tec hnical assistance. T o access the T A C website, go to: http://www .cisco.com/tac Step 6 dhcpd le[...]

32 Alternative Ways to Access the PIX 515E Y ou can access the CL I for administration using the console port on the PIX Firewall. T o do so, you must run a serial terminal emulator on a PC or worksta tion . Step 1 Connect the blue console cable so tha t you have a DB-9 connector on one end as required by the serial port for your computer , and the[...]

33 • If your PIX 515E has one or two sin gle-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit a t the rear , the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3. (Using more than one Ethernet circuit board requires the PIX 515E[...]

34 Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2 , Ethernet 3, Ethernet 4, and Ethernet 5. Th e maximum number of allowed interfaces is six with an unrestricted license. Note Do not add a single-port circuit board in the extra slot below the four -po[...]

35 T able 2 PIX 515E Real P anel LEDs LED Color Status Description 100 Mbps Green On 100-Mbps 100BaseTX communication. If the light is off, the port is using 10-Mb ps data exchange. ACT Green Flashing Shows that data is passing on the network to which the connector is attached. LINK Green On Shows that the connection uses full-duplex data exchang e[...]

36 6 Obtaining Documentation Cisco provides several ways to obtai n document ation, technical assistance, and other technical resources. These sections ex pl ain how to obtain technica l information from Cisco Systems. Cisco.com Y ou can access the most current Cisco documentation on the W orld Wide W eb at this URL: http://www .cisco.com/univercd/[...]

37 Y ou can order Cisco documentation i n these ways: • Registered Cisco.com users (Cis co direct custom ers) can order Cisco product documentation from the Networking Pr oducts MarketPlace: http://www .cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order document ation through a local account representa tive b[...]

38 Opening a TAC Case Using the online T AC Case Open T ool is the fastest way to open P3 and P 4 cases. (P3 and P4 cases a re those in which your network is minimally impaired or for which y ou require product information.) After you describe your situation, the T AC Case Open T ool automatically recommends resources for an immediate solution. If [...]

39 9 Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networki ng products offered by Cisco Systems, as well as ordering and customer support services. Ac cess the Cisco Product Cat[...]

40[...]

Corporate Headquarters Cisco Systems, Inc. 170 W est T asman Drive San Jose, CA 95134-1706 USA www .cisco.com T el: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Head quarters Cisco Systems Internat ional BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cis co.com T el: 31 0 20 35 7 1000 Fax: 31 0 2[...]

42[...]