Cisco 515E - PIX Restricted Bundle, Getting Started Manual

Page 1: ...c 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco PIX 515E Security Appliance Getting Started Guide Customer Order Number DOC 7817654 Text Part Number 78 17645 01 ...

Page 2: ...OR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco PIX 515E Security Appliance Getting Started Guide 2006 Cisco Systems Inc All rights reserved CCSP CCVP the Cisco Square Bridge ...

Page 3: ...7 Before Launching the Startup Wizard 1 7 Running the Startup Wizard 1 8 What to Do Next 1 9 C H A P T E R 2 Scenario DMZ Configuration 2 1 Example DMZ Network Topology 2 1 Configuring the Security Appliance for a DMZ Deployment 2 4 Configuration Requirements 2 5 Starting ASDM 2 6 Creating IP Pools for Network Address Translation 2 7 Configuring NAT for Inside Clients to Communicate with the DMZ W...

Page 4: ...ess Pools 3 11 Configuring Client Attributes 3 12 Configuring the IKE Policy 3 13 Configuring IPsec Encryption and Authentication Parameters 3 15 Specifying Address Translation Exception and Split Tunneling 3 16 Verifying the Remote Access VPN Configuration 3 17 What to Do Next 3 18 C H A P T E R 4 Scenario Site to Site VPN Configuration 4 1 Example Site to Site VPN Network Topology 4 1 Implementi...

Page 5: ...ing Started Guide 78 17645 01 Contents Viewing VPN Attributes and Completing the Wizard 4 11 Configuring the Other Side of the VPN Connection 4 13 What to Do Next 4 13 A P P E N D I X A Obtaining a DES License or a 3DES AES License A 1 ...

Page 6: ...Contents vi PIX 515E Security Appliance Getting Started Guide 78 17645 01 ...

Page 7: ...s chapter describes how to install and perform the initial configuration of the security appliance This chapter includes the following sections Verifying the Package Contents page 1 2 Installing the PIX 515E Security Appliance page 1 3 Front and Back Panel Components page 1 4 Setting Up the Security Appliance page 1 5 What to Do Next page 1 9 ...

Page 8: ... w a r e W a r r a n t y P I X 5 1 5 E G e t t i n g S t a r t e d G u i d e S a f e t y a n d C o m p l i a n c e G u i d e PIX 515E PC terminal adapter 74 0495 01 Documentation Blue console cable 72 1259 01 Yellow Ethernet cable 72 1482 01 C i s c o P I X S e c u r i t y A p p l i a n c e P r o d u c t C D DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED Link FDX FDX 100 Mbps Link 100 Mbps FAIL...

Page 9: ...lowing steps a Attach the brackets to the chassis with the supplied screws The brackets attach to the holes near the front of the chassis b Attach the chassis to the equipment rack Step 2 Use one of the provided yellow Ethernet cables to connect the outside 10 100 Ethernet interface Ethernet 0 to a DSL modem cable modem router or switch Step 3 Use the other provided yellow Ethernet cable to connec...

Page 10: ...ates the LEDs on the front panel of the PIX515E Security Appliance Figure 1 3 PIX515E Security Appliance Front Panel LEDs Figure 1 4 illustrates the back panel components LED Color State Description POWER Green On On when the unit has power ACT Green On If part of a failover pair the light is on when the unit is the active unit Off If part of a failover pair the light is off when the unit is in st...

Page 11: ...edures in this chapter refer to the method using ASDM Note To use ASDM you must have a DES license or a 3DES AES license For more information see Appendix A Obtaining a DES License or a 3DES AES License This section includes the following topics About the Factory Default Configuration page 1 6 About the Adaptive Security Device Manager page 1 6 Using the Startup Wizard page 1 7 97784 DO NOT INSTAL...

Page 12: ... default configuration automatically configures an interface for management so you can quickly connect to the device and use ASDM to complete your configuration By default the security appliance management interface is configured with a default DHCP address pool This configuration enables a client on the inside network to obtain a DHCP address from the security appliance to connect to the applianc...

Page 13: ...ion Guide and the Cisco Security Appliance Command Reference Using the Startup Wizard ASDM includes a Startup Wizard to simplify the initial configuration of your security appliance With a few steps the Startup Wizard enables you to configure the security appliance so that it allows packets to flow securely between the inside network and the outside network This section describes how to use the St...

Page 14: ...e following steps Step 1 Use an Ethernet cable to connect your PC to the inside port Ethernet 1 on the rear panel of the PIX 515E Step 2 Configure your PC to use DHCP to receive an IP address automatically from the PIX 515E Alternatively you can assign a static IP address to your PC If you use a static IP address use any address from the 192 168 1 0 range except 192 168 1 1 This IP address is assi...

Page 15: ... For information about any field in the Startup Wizard click Help at the bottom of the window Note Based on your network security policy you should also consider configuring the security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary You can configure this access control policy using the icmp command For more information about the icmp com...

Page 16: ...Chapter 1 Installing and Setting Up the PIX 515E Security Appliance What to Do Next 1 10 PIX 515E Security Appliance Getting Started Guide 78 17645 01 ...

Page 17: ...rized zone DMZ A DMZ is a separate network located in the neutral zone between a private inside network and a public outside network This chapter includes the following sections Example DMZ Network Topology page 2 1 Configuring the Security Appliance for a DMZ Deployment page 2 4 What to Do Next page 2 24 Example DMZ Network Topology The example network topology shown in Figure 2 1 is typical of m...

Page 18: ...Z web server all other traffic is denied The network has two routable IP addresses that are publicly available one for the outside interface of the security appliance 209 165 200 225 and one for the public IP address of the DMZ web server 209 165 200 226 Figure 2 2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the Internet 132064 Intern...

Page 19: ...dresses are not visible to the Internet For traffic destined for the DMZ web server private IP addresses are translated to an address from an IP pool For traffic destined for the Internet private IP addresses are translated to the public IP address of the security appliance Outgoing traffic appears to come from this address Figure 2 3 shows HTTP requests originating from the Internet and destined ...

Page 20: ...e DMZ web server The procedures for creating this configuration are detailed in the remainder of this chapter Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure the security appliance for the configuration scenario shown in Figure 2 1 The procedure uses sample parameters based on the scenario 153779 Internet HTTP client HTTP client Security ...

Page 21: ...uring an External Identity for the DMZ Web Server page 2 16 Providing Public HTTP Access to the DMZ Web Server page 2 18 The following sections provide detailed instructions for how to perform each step Configuration Requirements Configuring the security appliance for this DMZ deployment requires the following configuration tasks For the internal clients to have HTTP access to the DMZ web server y...

Page 22: ...Z web server you must configure an external identity for the DMZ web server and an access rule that permits HTTP requests coming from clients on the Internet To accomplish this task you should configure the following Create a static NAT rule This rule translates the real IP address of the DMZ web server to a single public IP address In this scenario the public address of the web server is 209 165 ...

Page 23: ...ion The security appliance uses Network Address Translation NAT and Port Address Translation PAT to prevent internal IP addresses from being exposed externally This procedure describes how to create a pool of IP addresses that the DMZ interface and outside interface can use for address translation A single IP pool can contain both NAT and PAT entries and it can contain entries for more than one in...

Page 24: ...work address translation perform the following steps Step 1 In the ASDM window click the Configuration tool a In the Features pane click NAT The NAT Configuration screen appears b In the right pane click the Global Pools tab c Click Add to create a new global pool for the DMZ interface The Add Global Address Pool dialog box appears Note For most configurations IP pools are added to the less secure...

Page 25: ...Z e To create a new IP pool enter a unique Pool ID In this scenario the Pool ID is 200 f In the IP Addresses to Add area specify the range of IP addresses to be used by the DMZ interface Click the Range radio button Enter the Starting IP address and Ending IP address of the range In this scenario the range of IP addresses is 10 30 30 50 10 30 30 60 Optional Enter the Netmask for the range of IP ad...

Page 26: ...ed by the outside interface These addresses are used to translate private IP addresses so that inside clients can communicate securely with clients on the Internet In this scenario there are limited public IP addresses available Use Port Address Translation PAT so that many internal IP addresses can map to the same public IP address as follows a In the right pane of the NAT Configuration screen cl...

Page 27: ...he Pool ID is 200 e Click the Port Address Translation PAT using the IP address of the interface radio button If you select the option Port Address Translation using the IP address of the interface all traffic initiated from the inside network exits the security appliance using the IP address of the outside interface To the devices on the Internet it appears that all traffic is coming from this on...

Page 28: ...nfiguration should be similar to the following Step 3 Confirm that the configuration values are correct Step 4 Click Apply in the main ASDM window Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure you created a pool of IP addresses that could be used by the security appliance to mask the private IP addresses of inside clients ...

Page 29: ...ule dialog box appears Step 4 In the Real Address area specify the IP address to be translated For this scenario address translation for inside clients is done according to the IP address of the subnet a From the Interface drop down list choose the Inside interface b Enter the IP address of the client or network In this scenario the IP address of the network is 10 10 10 0 c From the Netmask drop d...

Page 30: ...slation rule appears as you expected Note When you click OK to create this rule notice that there are actually two translation rules created A translation rule between the inside and DMZ interfaces to be used when inside clients communicate with the DMZ web server A translation rule between the inside and outside interfaces to be used when inside clients communicate with the Internet ASDM is able ...

Page 31: ...uld be similar to the following Step 6 Click Apply to complete the security appliance configuration changes Configuring NAT for Inside Clients to Communicate with Devices on the Internet In the previous procedure you configured a Network Address Translation NAT rule that associates IP addresses from the IP pool with the inside clients so they can communicate securely with the DMZ web server ...

Page 32: ...entity for the DMZ Web Server The DMZ web server needs to be accessible by all hosts on the Internet This configuration requires translating the private IP address of the DMZ web server to a public IP address enabling access to outside HTTP clients that are unaware of the security appliance To map the real web server IP address 10 30 30 30 statically to a public IP address 209 165 200 226 perform ...

Page 33: ...the web server a From the Interface drop down list choose Outside b From the IP Address drop down list choose the public IP address of the DMZ web server In this scenario the public IP address of the DMZ web server is 209 165 200 226 Step 6 Click OK to add the rule and return to the list of Address Translation Rules This rule maps the real web server IP address 10 30 30 30 statically to the public...

Page 34: ...Click Apply to complete the security appliance configuration changes Providing Public HTTP Access to the DMZ Web Server By default the security appliance denies all traffic coming in from the public network You must create an access control rule on the security appliance to permit specific traffic types from the public network to resources in the DMZ This access control rule specifies the interfac...

Page 35: ...on you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet if the destination of the traffic is the web server on the DMZ network All other traffic coming in from the public network is denied To configure the access control rule perform the following steps Step 1 In the ASDM window a Click the Configuration tool b In the Features pane click...

Page 36: ...Interface and Action area a From the Interface drop down list choose Outside b From the Direction drop down list choose Incoming c From the Action drop down list choose Permit Step 3 In the Source area a From the Type drop down list choose IP Address b Enter the IP address of the source host or source network Use 0 0 0 0 to allow traffic originating from any host or network ...

Page 37: ...enter the public IP address of the destination host or network such as a web server In this scenario the public IP address of the DMZ web server is 209 165 200 226 Step 5 In the Protocol and Service area specify the type of traffic that you want to permit through the security appliance a From the Protocol drop down list choose tcp b In the Source Port area click the Service radio button choose equ...

Page 38: ...2 22 PIX 515E Security Appliance Getting Started Guide 78 17645 01 At this point the entries in the Add Access Rule dialog box should be similar to the following d Click OK Step 6 The displayed configuration should be similar to the following Verify that the information you entered is accurate ...

Page 39: ... for content from the DMZ web server while keeping the private network secure Note Although the destination address specified is the private address of the DMZ web server 10 30 30 30 HTTP traffic from any host on the Internet destined for the public address 209 165 200 226 is permitted through the security appliance The address translation 209 165 200 226 to 10 30 30 30 allows the traffic to be pe...

Page 40: ...e starts What to Do Next If you are deploying the security appliance solely to protect a web server in a DMZ you have completed the initial configuration You may want to consider performing some of the following additional steps You can configure the security appliance for more than one application The following sections provide configuration procedures for other common applications of the securit...

Page 41: ...Guide 78 17645 01 Chapter 2 Scenario DMZ Configuration What to Do Next To Do This See Configure a remote access VPN Chapter 3 Scenario IPsec Remote Access VPN Configuration Configure a site to site VPN Chapter 4 Scenario Site to Site VPN Configuration ...

Page 42: ...Chapter 2 Scenario DMZ Configuration What to Do Next 2 26 PIX 515E Security Appliance Getting Started Guide 78 17645 01 ...

Page 43: ...e users If you are implementing an Easy VPN solution this chapter describes how to configure the Easy VPN server sometimes called a headend device This chapter includes the following sections Example IPsec Remote Access VPN Network Topology page 3 1 Implementing the IPsec Remote Access VPN Scenario page 3 2 What to Do Next page 3 18 Example IPsec Remote Access VPN Network Topology Figure 3 1 shows...

Page 44: ...implementing an Easy VPN solution this section describes how to configure an Easy VPN server also known as a headend device Values for example configuration settings are taken from the remote access scenario illustrated in Figure 3 1 This section includes the following topics Information to Have Available page 3 3 Starting ASDM page 3 3 Configuring the PIX 515E for an IPsec Remote Access VPN page ...

Page 45: ... Before you begin configuring the security appliance to accept remote access IPsec VPN connections make sure that you have the following information available Range of IP addresses to be used in an IP pool These addresses are assigned to remote VPN clients as they are successfully connected List of users to be used in creating a local authentication database unless you are using a AAA server for a...

Page 46: ...c Remote Access VPN Scenario 3 4 PIX 515E Security Appliance Getting Started Guide 78 17645 01 Note Remember to add the s in https or the connection fails HTTPS HTTP over SSL provides a secure connection between your browser and the security appliance The Main ASDM window appears ...

Page 47: ... To begin the process for configuring a remote access VPN perform the following steps Step 1 In the main ASDM window choose VPN Wizard from the Wizards drop down menu The VPN Wizard Step 1 screen appears Step 2 In Step 1 of the VPN Wizard perform the following steps a Click the Remote Access VPN radio button b From the drop down list choose Outside as the enabled interface for the incoming VPN tun...

Page 48: ...ed Guide 78 17645 01 Selecting VPN Client Types In Step 2 of the VPN Wizard perform the following steps Step 1 Specify the type of VPN client that will enable remote users to connect to this security appliance For this scenario click the Cisco VPN Client radio button You can also use any other Cisco Easy VPN remote product Step 2 Click Next to continue ...

Page 49: ...ter a preshared key for example Cisco This key is used for IPsec negotiations between the security appliances To use digital certificates for authentication click the Certificate radio button choose the Certificate Signing Algorithm from the drop down list and then choose a preconfigured trustpoint name from the drop down list If you want to use digital certificates for authentication but have not...

Page 50: ...roup Name such as Cisco for the set of users that use common connection parameters and client attributes to connect to this security appliance Step 3 Click Next to continue Specifying a User Authentication Method Users can be authenticated either by a local authentication database or by using external authentication authorization and accounting AAA servers RADIUS TACACS SDI NT Kerberos and LDAP ...

Page 51: ...Step 1 If you want to authenticate users by creating a user database on the security appliance click the Authenticate Using the Local User Database radio button Step 2 If you want to authenticate users with an external AAA server group a Click the Authenticate Using an AAA Server Group radio button b Choose a preconfigured server group from the drop down list or click New to add a new server group...

Page 52: ...ing User Accounts If you have chosen to authenticate users with the local user database you can create new user accounts here You can also add users later using the ASDM configuration interface In Step 5 of the VPN Wizard perform the following steps Step 1 To add a new user enter a username and password and then click Add Step 2 When you have finished adding new users click Next to continue ...

Page 53: ...sfully connected In this scenario the pool is configured to use the range of IP addresses 209 165 201 1 209 166 201 20 In Step 6 of the VPN Wizard perform the following steps Step 1 Enter a pool name or choose a preconfigured pool from the drop down list Alternatively click New to create a new address pool The Add IP Pool dialog box appears Step 2 In the Add IP Pool dialog box a Enter the Starting...

Page 54: ... needs basic network configuration information such as which DNS and WINS servers to use and the default domain name Rather than configuring each remote client individually you can provide the client information to ASDM The security appliance pushes this information to the remote client or Easy VPN hardware client when a connection is established Ensure that you specify the correct values or remot...

Page 55: ...e following steps Step 1 Enter the network configuration information to be pushed to remote clients Step 2 Click Next to continue Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy it is also an authentication method to ensure the identity of the peers In most cases the ASDM default values are sufficient to establish secur...

Page 56: ...ppliance Getting Started Guide 78 17645 01 To specify the IKE policy in Step 8 of the VPN Wizard perform the following steps Step 1 Click the Encryption DES 3DES AES authentication algorithms MD5 SHA and the Diffie Hellman group 1 2 5 7 used by the security appliance during an IKE security association Step 2 Click Next to continue ...

Page 57: ...ess VPN Configuration Implementing the IPsec Remote Access VPN Scenario Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard perform the following steps Step 1 Click the Encryption algorithm DES 3DES AES and authentication algorithm MD5 SHA Step 2 Click Next to continue ...

Page 58: ...ess Translation NAT to prevent internal IP addresses from being exposed externally You can make exceptions to this network protection by identifying local hosts and networks that should be made accessible to authenticated remote users In this scenario the entire inside network 10 10 10 0 is exposed to all remote clients In Step 10 of the VPN Wizard perform the following steps Step 1 Specify hosts ...

Page 59: ... Tunneling check box at the bottom of the screen Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel Step 2 Click Next to continue Verifying the Remote Access VPN Configuration In Step 11 of the VPN Wizard review the configuration attributes for the VPN tunnel you just created The displayed configuration sh...

Page 60: ...he old configuration takes effect the next time the device starts What to Do Next If you are deploying the security appliance solely in a remote access VPN environment you have completed the initial configuration In addition you may want to consider performing some of the following steps You can configure the security appliance for more than one application The following sections provide configura...

Page 61: ...Chapter 3 Scenario IPsec Remote Access VPN Configuration What to Do Next To Do This See Configure the security appliance to protect a Web server in a DMZ Chapter 2 Scenario DMZ Configuration Configure a site to site VPN Chapter 4 Scenario Site to Site VPN Configuration ...

Page 62: ...Chapter 3 Scenario IPsec Remote Access VPN Configuration What to Do Next 3 20 PIX 515E Security Appliance Getting Started Guide 78 17645 01 ...

Page 63: ...le maintaining their network security A VPN connection enables you to send data from one location to another over a secure connection or tunnel first by authenticating both ends of the connection and then by automatically encrypting all data sent between the two sites This chapter includes the following sections Example Site to Site VPN Network Topology page 4 1 Implementing the Site to Site Scena...

Page 64: ...e parameters from the remote access scenario shown in Figure 4 1 This section includes the following sections Information to Have Available page 4 2 Configuring the Site to Site VPN page 4 3 Information to Have Available Before you begin the configuration procedure gather the following information IP address of the remote security appliance peer IP addresses of local hosts and networks permitted t...

Page 65: ...ion About the Remote VPN Peer page 4 6 Configuring the IKE Policy page 4 7 Configuring IPsec Encryption and Authentication Parameters page 4 9 Specifying Hosts and Networks page 4 10 Viewing VPN Attributes and Completing the Wizard page 4 11 The following sections provide detailed instructions for how to perform each configuration step Starting ASDM To run ASDM in a web browser enter the factory d...

Page 66: ...onfiguring the Security Appliance at the Local Site Note The security appliance at the first site is referred to as Security Appliance 1 from this point forward To configure the Security Appliance 1 perform the following steps Step 1 In the main ASDM window choose the VPN Wizard option from the Wizards drop down menu ASDM opens the first VPN Wizard screen ...

Page 67: ...zard perform the following steps a Click the Site to Site VPN radio button Note The Site to Site VPN option connects two IPsec security gateways which can include security appliances VPN concentrators or other devices that support site to site IPsec connectivity b From the drop down list choose Outside as the enabled interface for the current VPN tunnel c Click Next to continue ...

Page 68: ...a static preshared key for authentication click the Pre Shared Key radio button and enter a preshared key for example Cisco This key is used for IPsec negotiations between the security appliances Note When you configure Security Appliance 2 at the remote site the VPN peer is Security Appliance 1 Be sure to enter the same preshared key Cisco that you use here Click the Challenge Response Authentica...

Page 69: ... encryption method to protect data and ensure privacy it is also an authentication method to ensure the identity of the peers In most cases the ASDM default values are sufficient to establish secure VPN tunnels between two peers In Step 3 of the VPN Wizard perform the following steps Step 1 Click the Encryption DES 3DES AES authentication algorithms MD5 SHA and the Diffie Hellman group 1 2 5 used ...

Page 70: ...ecurity Appliance Getting Started Guide 78 17645 01 Note When configuring Security Appliance 2 enter the exact values for each of the options that you chose for Security Appliance 1 Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process Step 2 Click Next to continue ...

Page 71: ...iguration Implementing the Site to Site Scenario Configuring IPsec Encryption and Authentication Parameters In Step 4 of the VPN Wizard perform the following steps Step 1 Choose the Encryption algorithm DES 3DES AES and authentication algorithm MD5 SHA from the drop down lists Step 2 Click Next to continue ...

Page 72: ...l In addition identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks Add or remove hosts and networks dynamically by clicking Add or Delete respectively In this scenario for Security Appliance 1 the remote network is Network B 10 20 20 0 so traffic encrypted from this network is permitted through the tunnel In Step 5 of the VPN Wiza...

Page 73: ...n Implementing the Site to Site Scenario Step 5 Click Next to continue Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard review the configuration list for the VPN tunnel you just created If you are satisfied with the configuration click Finish to apply the changes to the security appliance ...

Page 74: ... to be saved to the startup configuration so that they are applied the next time the device starts from the File menu click Save Alternatively ASDM prompts you to save the configuration changes permanently when you exit ASDM If you do not save the configuration changes the old configuration takes effect the next time the device starts This concludes the configuration process for Security Appliance...

Page 75: ...ishing with the Viewing VPN Attributes and Completing the Wizard section on page 4 11 Note When configuring Security Appliance 2 enter the exact same values for each of the options that you selected for Security Appliance 1 Mismatches are a common cause of VPN configuration failures What to Do Next If you are deploying the security appliance solely in a site to site VPN environment you have comple...

Page 76: ...rity appliance for more than one application The following sections provide configuration procedures for other common applications of the security appliance To Do This See Configure the security appliance to protect a web server in a DMZ Chapter 2 Scenario DMZ Configuration Configure a remote access VPN Chapter 3 Scenario IPsec Remote Access VPN Configuration ...

Page 77: ...key comes with the adaptive security appliance If you are a registered user of Cisco com and would like to obtain a 3DES AES encryption license go to the following website http www cisco com go license If you are not a registered user of Cisco com go to the following website https tools cisco com SWIFT Licensing RegistrationServlet Provide your name e mail address and the serial number for the sec...

Page 78: ...y activation 5 tuple key Updates the encryption activation key by replacing the activation 4 tuple key variable with the activation key obtained with your new license The activation 5 tuple key variable is a five element hexadecimal string with one space between each element An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e The 0x is optional all values are assumed to be hexadecimal Step 4...