Summary of Contents for Cisco PIX 520 - PIX Firewall 520
Page 1
Cisco PIX Device Manager Installation Guide Version 3.0 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: 78-15483-01...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, In Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CC...
Upgrading to a New Software Release 1 - 6 PC/Workstation Requirements 1 - 6 Supported Platforms 1 - 8 Windows 1 - 8 Sun Solaris 1 - 9 Red Hat Linux 1 - 9 Cisco PIX Device Manager Installation Guide, Version 3.0 78-15483-01...
Page 4
Using a TFTP Server A - 1 Obtaining a Windows TFTP Server A - 1 Enabling UNIX TFTP Support A - 2 Enabling TFTP Access on a Sun Solaris System A - 2 Cisco PIX Device Manager Installation Guide, Version 3.0 78-15483-01...
Page 5
Contents Enabling TFTP Access on a Linux System A - 2 TFTP Download Error Codes A - 3 N D E X Cisco PIX Device Manager Installation Guide, Version 3.0 78-15483-01...
Page 7
Obtaining Technical Assistance, page xvi Obtaining Additional Publications and Information, page xvii • Document Objectives This guide describes how to install and access the Cisco PIX Device Manager (PDM) software. Audience This guide is for network administrators who perform the following: Manage network security •...
Apenas pessoal treinado e qualificado deve ser autorizado a instalar, substituir ou fazer a revisão deste equipamento. ¡Advertencia! Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo. Varning! Endast utbildad och kvalificerad personal bör få tillåtelse att installera, byta ut eller reparera denna utrustning. Cisco PIX Device Manager Installation Guide viii 78-15483-01...
Tässä asiakirjassa esitettyjen varoitusten käännökset löydät laitteen mukana toimitetuista ohjeista. Huomautus SÄILYTÄ NÄMÄ OHJEET Huomautus Tämä asiakirja on tarkoitettu käytettäväksi yhdessä tuotteen mukana tulleen asennusoppaan kanssa. Katso lisätietoja asennusoppaasta, kokoonpano-oppaasta ja muista mukana toimitetuista asiakirjoista. Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 10
Nota CONSERVARE QUESTE ISTRUZIONI Nota La presente documentazione va usata congiuntamente alla guida di installazione specifica spedita con il prodotto. Per maggiori informazioni, consultare la Guida all'installazione, la Guida alla configurazione o altra documentazione acclusa. Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 11
översatta säkerhetsvarningarna som medföljer denna anordning. OBS! SPARA DESSA ANVISNINGAR OBS! Denna dokumentation ska användas i samband med den specifika produktinstallationshandbok som medföljde produkten. Se installationshandboken, konfigurationshandboken eller annan bifogad ytterligare dokumentation för närmare detaljer. Cisco PIX Device Manager Installation Guide 78-15483-01...
The major sections of this guide are as follows: Chapter Title Description Overview Physical properties and functional overview of the Cisco PIX Device Manager (PDM) Version 3.0 Preparing to Install PDM Preparations and other requirements before installing the PIX Firewall Installing PDM...
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
24 hours a day, 365 days a year. Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.com/RPF/register/register.do...
TAC Case Priority Definitions To ensure that all cases are reported in a standard format, Cisco has established case priority definitions. Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Page 18
Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html...
• Introduction Cisco PIX Device Manager (PDM) is a graphical user interface (GUI) that manages Cisco PIX Firewalls. PDM, a signed Java applet, uses certificates and HTTPS (HTTP over SSL) to securely transmit information between PDM and the PIX Firewall. (Enter “https” in your browser to use HTTPS.) PDM provides the following: GUI—Lets you configure, manage, and monitor security policies across a network.
• • Embedded Architecture—Lets you manage the Cisco PIX Firewall from almost any computer, regardless of the operating system, and works with most browsers, including Microsoft Internet Explorer and Netscape Navigator. There is no application to install and no plug-in required.
Page 21
DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption packet data. Cisco IOS software implements the 3-key Triple DES and DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
DES activation key. If your PIX Firewall is not enabled for DES, 3DES, or AES, and you are a registered Cisco user, you can receive a DES, 3DES, or AES activation key by completing the form at the following URL: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324.
The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a • diskette drive, download the Boothelper file from cisco.com http://www.cisco.com/cgi-bin/tablebuild.pl/pix) to get the PIX Firewall image. Before upgrading from a previous PIX Firewall version, save your configuration and write down •...
Page 25
To check which Java Virtual Machine (JVM) version you have, launch PDM. In the main PDM menu, click Help>About Cisco PIX Device Manager. When the About PDM information window appears, it displays your browser specifications in a table. You can download the latest JVM version for Internet Explorer from Microsoft, and you can download the latest Java Plug-in from Sun Microsystems (www.java.sun.com).
Microsoft Windows XP Java Plug-in 1.4.1_02 Netscape 7.0x Java Plug-in 1.4.1_02 1. Native refers to the built-in JVM that ships with the browser. PDM Version 3.0 does not support Windows 3.1 or Windows 95. Note Cisco PIX Device Manager Installation Guide 78-15483-01...
Pentium III or equivalent running at 450 Mhz or higher Random Access Memory At least 128 MB Display Resolution and Colors At least 1024 x 768 pixels and 256 colors Network Connection Connection speed 56 Kbps; 384 Kbps (DSL or cable) recommended Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 28
Mozilla 1.0.1 on Red Hat 8.0 Java Plug-in 1.4.1 Recommended Red Hat Linux Platforms Red Hat Linux 8.0 Mozilla 1.0.1 Java Plug-in 1.4.1_02 1. Native refers to the built-in JVM that ships with the browser. Cisco PIX Device Manager Installation Guide 1-10 78-15483-01...
CLI Command Support—PDM Version 3.0 uses the PIX Firewall CLI command syntax, which is very similar to Cisco IOS software, but not identical. Most PIX Firewall CLI commands are fully supported by PDM. If you are using PDM with an existing firewall configuration, refer to PDM Support for PIX Firewall CLI Commands for more information.
Verify that you have a TFTP or FTP server installed. See Appendix A, “Using a TFTP Server.” install a TFTP server. Confirm that you are a registered Cisco user. If you are not a registered user, go to • http://tools.cisco.com/RPF/register/register.do, and complete the form to register.
Registered Cisco.com users can request a DES (free), 3DES/AES activation key from the following URL: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324 – New Cisco.com users can complete the form at this URL before requesting a DES (free), 3DES/AES activation key: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl 3DES/AES activation keys are available as part of a feature license upgrade and are not free.
“tftp server” on the Web. We do not specifically recommend any particular TFTP implementation. Note that recent versions of Cisco IOS software support the use of FTP instead of TFTP for loading of images or configuration files. Use of FTP overcomes a number of inherent limitations of TFTP, including a lack of security and a 16 MB file size limitation.
In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224. The remainder of the display provides information on the status of data transmission through the server. Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 34
Chapter 2 Preparing to Install PDM Determining the IP Address of Your Server Cisco PIX Device Manager Installation Guide 78-15483-01...
Cisco.com username and password.) Step 5 On the Cisco Secure PIX Firewall Software page, find the section titled “Select a File to Download”, click pdm-nnn.bin (where nnn represents the PDM software image version that you want to install) and follow the instructions presented.
Set your FTP client to passive mode by selecting the Properties button on the Connect to FTP Site screen, Step 1 selecting the Connection tab, checking Use Passive Mode, and clicking Apply. Start your FTP client and connect to ftp.cisco.com. Enter your Cisco.com username and password when Step 2 prompted.
Page 37
The HyperTerminal window is now ready to receive information from the PIX Firewall console. Wait 30 seconds for the PIX Firewall startup messages to display. These messages should appear similar to the following example: Rebooting..Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000 Platform PIX-515 Flash=i28F640J5 @ 0x300 Use BREAK or ESC to interrupt flash boot.
To enter setup, use the setup command as shown in the following example: pixfirewall (config)# setup Step 4 Load the PDM image by following the steps in Table 3-1: Press Enter to accept the default values. Note Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 39
Enter n to edit the values, or enter y to save the information to the PIX Firewall Flash memory. Use this configuration and write to flash? y Or, enter at the prompt to save the information to the PIX Firewall Flash memory. Click Save to save your settings. Step 6 Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 41
Accept the security certificate. (You must accept the certificate to use PDM.) Step 2 To avoid the certificate from appearing in Windows Internet Explorer when the certificate dialog (titled “Security Alert”) is shown, perform the following steps: Click View Certificate. Cisco PIX Device Manager Installation Guide 78-15483-01...
Enter your password. If no password has been set, choose and enter one at this time. Click OK to Step 3 continue. Answer ‘Yes’ to the Security Warning asking “Do you want to install and run ‘Cisco PIX Device Step 4 Manager’”? If you do not want this question to be asked next time you load PDM, check the box with the label ‘Always trust content from Cisco Systems.’...
Host Name, PIX Version, Device Type, License, PDM Version, Total Memory, and Total Flash. Licensed Features—This area displays the Encryption features your PIX Firewall is licensed to use. Failover Max Interfaces Inside Hosts IKE Peers Max Physical Interfaces Cisco PIX Device Manager Installation Guide 78-15483-01...
Back to go back to the previous prompts. For assistance with deciding what to enter into the Startup Wizard dialog boxes, click Help. Cisco PIX Device Manager Installation Guide 78-15483-01...
IPSec peer with which you need to establish secure connectivity. To set up your PIX Firewall as a remote access client in relation to another PIX Firewall or Cisco VPN Concentrator, select the Startup Wizard from the Wizards menu.
Additionally, comments (such as these) may be inserted on individual lines or following the machine name denoted by a '#' symbol. For example: 102.54.94.97 rhino.example.com # source server 38.25.63.10 x.example.com # x client host Cisco PIX Device Manager Installation Guide 78-15483-01...
LAN, your computer should be configured with a route to the PIX Firewall. To set the default gateway IP address, refer to the Cisco PIX Firewall and VPN Configuration Guide. If you cannot access the PIX Firewall through PDM, follow these steps:...
When prompted, you can choose not to accept these commands, but without the network topology information, PDM can only monitor your PIX Firewall. Consequently, not accepting these commands limits your access in PDM to the Monitoring tab. Cisco PIX Device Manager Installation Guide 78-15483-01...
For information on PDM caveats, refer to the “Caveats” section of the Cisco PIX Device Manager Release Notes Version 3.0. Troubleshooting For information on PDM caveats, refer to the caveats section of the Cisco PIX Device Manager Release Notes Version 3.0. Table 5-1 contains basic PDM troubleshooting scenarios.
Page 50
Start PDM. Click Grant to launch PDM. This can happen on Windows, Sun Solaris, or Linux and is a problem in the Netscape Java Virtual Machine (JVM). Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 51
PDM Users panel on the Monitoring tab. If you know the IP address of the idle connection, select the row, and click Disconnect. Another administrator can now access PDM. Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 52
The use of certain PIX Firewall CLI For more information on these commands tab in PDM. commands, and certain command and command combinations, see the Cisco combinations, limit access in PDM to PIX Device Manager Release Notes the Monitoring tab.
TFTP servers. As a historical note, the Cisco TFTP server was released to customers in 1995 and at a time when no other freely available TFTP servers existed. Today, there are many TFTP servers available that can be easily found by searching for “tftp server”...
If you are running Linux with “xinetd,” Edit the /etc/xinetd.d/tftp file as follows: Change the line “disable = yes” to “disable = no.” Change the line “user = nobody” to “user = root.” Cisco PIX Device Manager Installation Guide 78-15483-01...
TFTP server to access the file. In UNIX, the file needs to be world readable. A TFTP packet was received out of sequence. Error codes 9 and 10 cause the download to stop. Cisco PIX Device Manager Installation Guide 78-15483-01...
Page 56
Appendix A Using a TFTP Server TFTP Download Error Codes Cisco PIX Device Manager Installation Guide 78-15483-01...