Table of Contents
Advertisement
Management Considerations for the Cisco Pix
Both deployment methods described in the sections that follow use the PIX's WAN interface IP address as the
means of external connectivity to the internal SMA/SRA appliance. The PIX has the ability to be managed
through HTTP/S, but cannot have their default management ports (80,443) reassigned in the recommended PIX
OS version. Because of this, the HTTP/S management interface must be deactivated. To deactivate the HTTP/S
management interface, issue the command 'clear http'.
NOTE:
If you have a separate static WAN IP address to assign to the SMA/SRA appliance, you do not have
to deactivate the HTTP/S management interface on the PIX.
Method One – SMA/SRA Appliance on LAN
Interface
1
From a management system, log in to the SMA/SRA appliance's Secure Mobile Access management
interface. By default the management interface is X0 and the default IP address is 192.168.200.1.
2
Navigate to the Network > Interfaces page and click on the configure icon for the X0 interface. On the
pop-up that appears, change the X0 address to 192.168.100.2 with a mask of 255.255.255.0. When
done, click OK to save and activate the change.
3
Navigate to the Network > Routes page and change the Default Gateway to 192.168.100.1 When
done, click Accept in the upper-right corner to save and activate the change.
4
Navigate to the NetExtender > Client Addresses page. You need to enter a range of IP addresses for
the 192.168.100.0/24 network that are not in use on your internal LAN network; if your network has an
existing DHCP server or the PIX is running a DHCP server on its internal interface, you need to make sure
not to conflict with these addresses. For example: enter 192.168.100.201 in the field next to Client
Address Range Begin:, and enter 192.168.100.249 in the field next to Client Address Range End:.
When done, click Accept in the upper-right corner to save and activate the change.
5
Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0. If there is
an entry for 192.168.200.0, delete it.
6
Navigate to the Network > DNS page and enter your internal network's DNS addresses, internal domain
name, and WINS server addresses. These are critical for NetExtender to function correctly. When done,
click Accept in the upper-right corner to save and activate the change.
7
Navigate to the System > Restart page and click Restart...
8
Install the SMA/SRA appliance's X0 interface on the LAN network of the PIX. Do not hook any of the
appliance's other interfaces up.
9
Connect to the PIX's management CLI by way of the console port, telnet, or SSH and enter configure
mode.
10 Issue the command 'clear http' to shut off the PIX's HTTP/S management interface.
11 Issue the command 'access-list sslvpn permit tcp any host x.x.x.x eq www' (replace x.x.x.x with the
WAN IP address of your PIX)
12 Issue the command 'access-list sslvpn permit tcp any host x.x.x.x eq https' (replace x.x.x.x with the
WAN IP address of your PIX)
13 Issue the command 'static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask
255.255.255.255 0 0' (replace x.x.x.x with the WAN IP address of your PIX)
14 Issue the command 'static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask
255.255.255.255 0 0' (replace x.x.x.x with the WAN IP address of your PIX)
15 Issue the command 'access-group sslvpn in interface outside'
16 Exit config mode and issue the command 'wr mem' to save and activate the changes.
17 From an external system, attempt to connect to the SMA/SRA appliance using both HTTP and HTTPS. If
you cannot access the SMA/SRA appliance, check all previous steps and test again.
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
439
Advertisement
Chapters
Table of Contents
Troubleshooting
