Cisco Systems PIX515E manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Cisco Systems PIX515E. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoCisco Systems PIX515E vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Cisco Systems PIX515E você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual Cisco Systems PIX515E, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual Cisco Systems PIX515E deve conte:
- dados técnicos do dispositivo Cisco Systems PIX515E
- nome do fabricante e ano de fabricação do dispositivo Cisco Systems PIX515E
- instruções de utilização, regulação e manutenção do dispositivo Cisco Systems PIX515E
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Cisco Systems PIX515E não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Cisco Systems PIX515E e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Cisco Systems na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Cisco Systems PIX515E, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Cisco Systems PIX515E, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Cisco Systems PIX515E. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    Quick Start Guide Cisco PIX 515E Firewall 1 Chec k Items Included 2 Install the PIX 515E 3 Configure the PIX 51 5E 4 Example Configurations 5 Optional Maintenance and Upgrade P rocedures[...]

  • Página 2

    2 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers en terprise-class security for small-to-medium business and enterprise networks, in a modular , purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 6 10/100 Fast Ethernet interfaces, making it a n excellent choice for businesses requiring a cost-effective, [...]

  • Página 3

    3 1 Check Items Included End User License and Software Warranty PIX 515E Getting Started Guide Safety and Compliance Guide PIX 515E PC terminal adapter (74-0495-01) Documentation Blue console cable (72-1259-01) Y ellow Ethernet cable (72-1482-01) Cisco PIX Security Appliance Product CD DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED L in k F D X [...]

  • Página 4

    4 2 Install the PIX 515E Follow these steps to install the PIX 515E: Step 1 Install th e rubber feet onto the five, round, recessed ar eas on the bottom of the chassis . Note The chassis is also rack-mountable. For rack -mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Installation Guide . Step 2 Use the yellow Ethernet [...]

  • Página 5

    5 3 Configure the PIX 515E The PIX 515E comes with a factory-default configur ation that meets the needs of most small and me d iu m bu s i ne s s networking environments. A defaul t DHCP server address pool is included for hosts on th e i ns id e in te rf ac e. The factory-default configur ation on the PIX 515E protects you r inside network from u[...]

  • Página 6

    6 Step 4 T o access the Startup Wizard, use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your Internet browser . Note Remember to add the “ s ” in “ https ” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between y our browser and the PIX 515E. Step 5 Leave both th[...]

  • Página 7

    7 Step 1 Manage IP Pools fo r Network Translations For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define an IP pool (30.30.30.50–30. 30.30.60) for the DMZ interface. Similarly , an IP pool for the outside interface (209.165.156.10) is requ ired for the inside HTTP client to co[...]

  • Página 8

    8 c. Select the T ransl ation Rules tab. d. Click the Manage Pools button and a new window appears, all owing you to add or edit global address pools. Note For most configurations, global pools are adde d to the less secure, or public, interfaces. In the Manage Global Address Po ols window: a. Select the dmz interface. b. Click the Add button. In t[...]

  • Página 9

    9 b. Click the Range radio button to enter the IP address range. c. Because the range o f IP addresses for the DMZ interface i s 30.30.30.50– 30.30.30.60 , enter these values in the two fields. d. Enter a unique Pool ID (in this case, enter 200 ). e. Click the OK button to go back to the Man age Global Address Pools window . Note Y ou can also se[...]

  • Página 10

    10 When the new window comes up: a. Select outside from th e Interface drop-down menu. b. Click the Port Address T ransl ation (P A T) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in Step d a bove (200). d. Click the OK button. Once the pools are configured, confirm their values before applying the[...]

  • Página 11

    11 Step 2 Configure Address Trans lations on Private Networks Network Address T ranslation (NA T) replaces the so urce IP ad dresses of network traffic traversing between two PIX interfaces. This tr anslation prevents the private address space s from being exposed on public networ ks and permits routing through t he public networks. Port Addre ss T[...]

  • Página 12

    12 b. Right click in the gray area below the Manage Pools button a nd select Add . c. In the new window , select the inside interface. d. Enter the IP address of the client (10.10.10.10). e. Select 255.255.255.255 from the Mask drop-down menu. Note Y ou can sele ct the inside host by clicking on the Browse bu tton. f. Select the DMZ interface on wh[...]

  • Página 13

    13 Note Enter the entire network range (10.10.10.0) or select the network using the Browse button and select the Pool ID if there are multiple HTTP clients.[...]

  • Página 14

    14 j. Click the OK button. k. Click the Proceed button. Check the displayed configu ration for accuracy . l. Click the Apply butt on to configure the PIX Firewall. Repeat the steps to configure inte rface P A T between the inside and outside interfaces. T he procedure remains the same, except the interface on whic h the translation is required is n[...]

  • Página 15

    15 Step 3 Configure Ext ernal Identity for the DMZ Web Server The DMZ server is easily accessible by al l hosts on the Internet. This configuration requires tran slating the DMZ server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the firewall. Complete the following steps to map [...]

  • Página 16

    16 The configurations should display as show n below:[...]

  • Página 17

    17 Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from the public networks. T o configure access lists for HTTP tra ffic originating from any client on the Internet to the DMZ web server , complete the following: a. Click the Confi[...]

  • Página 18

    18 The Edit Rule window opens up, allowin g you to select the ACL rules to permit/deny traffic. a. Under Action, select permit from the drop-down menu to allow traffic throu gh the firewall. b. Under Source Host/Network, click the IP Address radio button. c. Select outsid e from th e Interface drop-down menu.[...]

  • Página 19

    19 d. Enter the Source Host/Network information (0.0.0.0 for any host or network). e. Under Destination Host/Network, click th e IP Address radio button. f. Select dmz from the Interface drop-down menu. g. Enter 30.30.30.30 in the IP address box. h. Select 255.255.255.255 from the Mask drop-down menu. Note Alternatively , you can select the Ho sts/[...]

  • Página 20

    20 The configurations should display as show n below: The HTTP clients on the private and public netw orks can now securely access the DMZ web server . Site-to-Site VPN Configuration Site-to-site VPN (V irtual Private Networking) features provided by the PIX 515E enable businesses to securely exte nd their networ ks across low-co st pub lic Interne[...]

  • Página 21

    21 PDM provides an easy-to-use VPN Wizard that can quickly guide you through the process of configuring a site-to-site VPN in fi ve simple steps. The illustration below sho ws an example VPN tunnel between two PIX 515E, and will be referenced in the following steps. Step 1 Start the VPN Wizard Use PDM to configure PIX 1. In the main PDM page, sel e[...]

  • Página 22

    22 Step 2 Configure the VPN Peer a. Enter the Peer IP Address (PIX 2) and select an authentication key (for example,“CisCo”), which is shared for IPSec negotiations between both PIX 515E units. Note T o configure PIX 2, enter the IP address fo r PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). b. T o use X.509 certificates for authenticatio[...]

  • Página 23

    23[...]

  • Página 24

    24 Step 3 Configure the IKE Policy This step is comprised of two windows: 1. Configure the IKE negotiation parameters. In most case s, the defaul t values are suf ficient to establish secure VPN tunnels between two peers. a. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the P[...]

  • Página 25

    25 2. Configure the IPSec parameters. a. In the second window , select the Encryption algorithm (DES/3D ES/AES) and Authentication algorithm (MD5/SHA). Confirm all values before continuing to the next window . Note When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1. Encryption and algorithm mi sm[...]

  • Página 26

    26 Step 4 Configure Internal Traffic This step is comprised of two window s: 1. Select network traffic on the local PI X 515E encrypted through the VPN tunnel. a. Select the Local Host/Network based on the IP Address, Name, or Group. Note Use the Browse button to select from preconfigured groups. Add or remove networks dynamically from the selected[...]

  • Página 27

    27 2. Select traffic permitted fr om the remote PIX Firewall. a. In the second window , select VPN traffic for re mote network configuration. For PIX 1, the remote network is Network B ( 20.20.20.0) so traffic encrypted from this tunnel is permitted through the tunnel. Note When configuring PIX 2, ensure that the va lues are correctly entered. The [...]

  • Página 28

    28 Step 5 View and Enable VPN Commands If you enabled preview comman ds, you w ill see this page: T o enable preview command s: a. In the main PDM page, select Options. b. Select Preferenc es and check the Preview commands before sending to firewall box. Check the configuration to ensure that all values are entered correctly . Click the Send button[...]

  • Página 29

    29 Establishing Site-to-Site VP Ns with other Cisco Products For information on configuring VPN between a PIX 515 E and other pro ducts such as a Cisco router that runs Cisco IOS software, and Cisco VPN 30 00 Concentrators, go to the following links: http://www .cisco.com/warp/customer/471/pix_router_dyn.html http://www .cisco.com/warp/public/471/A[...]

  • Página 30

    30 Enter these commands and follow th ese steps to use the ac tivation key: Restore the Default Configuration T o restore your default configuration back to the factory-default values, enter the fo llowing CLI commands by completing the following steps: Command Description Step 1 show version Shows the PIX Firewall softwa re version, hardware confi[...]

  • Página 31

    31 Refer to the following website for detailed command information and configu ration examples: http://www .cisco.com/univercd/cc/td/doc/produc t/iaabu/pix/pix_ sw/v_63/cmdref/index.htm The Cisco T AC website is availa ble to all customers who need tec hnical assistance. T o access the T A C website, go to: http://www .cisco.com/tac Step 6 dhcpd le[...]

  • Página 32

    32 Alternative Ways to Access the PIX 515E Y ou can access the CL I for administration using the console port on the PIX Firewall. T o do so, you must run a serial terminal emulator on a PC or worksta tion . Step 1 Connect the blue console cable so tha t you have a DB-9 connector on one end as required by the serial port for your computer , and the[...]

  • Página 33

    33 • If your PIX 515E has one or two sin gle-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit a t the rear , the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3. (Using more than one Ethernet circuit board requires the PIX 515E[...]

  • Página 34

    34 Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2 , Ethernet 3, Ethernet 4, and Ethernet 5. Th e maximum number of allowed interfaces is six with an unrestricted license. Note Do not add a single-port circuit board in the extra slot below the four -po[...]

  • Página 35

    35 T able 2 PIX 515E Real P anel LEDs LED Color Status Description 100 Mbps Green On 100-Mbps 100BaseTX communication. If the light is off, the port is using 10-Mb ps data exchange. ACT Green Flashing Shows that data is passing on the network to which the connector is attached. LINK Green On Shows that the connection uses full-duplex data exchang e[...]

  • Página 36

    36 6 Obtaining Documentation Cisco provides several ways to obtai n document ation, technical assistance, and other technical resources. These sections ex pl ain how to obtain technica l information from Cisco Systems. Cisco.com Y ou can access the most current Cisco documentation on the W orld Wide W eb at this URL: http://www .cisco.com/univercd/[...]

  • Página 37

    37 Y ou can order Cisco documentation i n these ways: • Registered Cisco.com users (Cis co direct custom ers) can order Cisco product documentation from the Networking Pr oducts MarketPlace: http://www .cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order document ation through a local account representa tive b[...]

  • Página 38

    38 Opening a TAC Case Using the online T AC Case Open T ool is the fastest way to open P3 and P 4 cases. (P3 and P4 cases a re those in which your network is minimally impaired or for which y ou require product information.) After you describe your situation, the T AC Case Open T ool automatically recommends resources for an immediate solution. If [...]

  • Página 39

    39 9 Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networki ng products offered by Cisco Systems, as well as ordering and customer support services. Ac cess the Cisco Product Cat[...]

  • Página 40

    40[...]

  • Página 41

    Corporate Headquarters Cisco Systems, Inc. 170 W est T asman Drive San Jose, CA 95134-1706 USA www .cisco.com T el: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Head quarters Cisco Systems Internat ional BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cis co.com T el: 31 0 20 35 7 1000 Fax: 31 0 2[...]

  • Página 42

    42[...]