Cisco PIX 520 - PIX Firewall 520, Installation Manual

Page 1: ... Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco PIX Device Manager Installation Guide Version 3 0 Text Part Number 78 15483 01 ...

Page 2: ...T LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES This document is to be used in conjunction with the appropriate documentation for your Cisco PIX Firewall system CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing For...

Page 3: ...n xv Documentation Feedback xvi Obtaining Technical Assistance xvi Cisco TAC Website xvi Opening a TAC Case xvi TAC Case Priority Definitions xvii Obtaining Additional Publications and Information xvii Overview 1 1 Introduction 1 1 Data Encryption Overview 1 2 PIX Firewall System Requirements 1 4 PIX Firewall System Interoperability with PDM 1 4 Flash Memory Requirements 1 5 Maximum Configuration ...

Page 4: ...1 Downloading PDM Using FTP 3 2 Installing PDM 3 2 Loading the PDM Image 3 4 Configuring PDM 4 1 Starting PDM with Internet Explorer 4 1 Starting PDM with Netscape Navigator 4 2 PDM Home Page 4 3 Using the PDM Startup Wizard 4 4 VPN Wizard 4 5 Site to Site VPN 4 5 Remote Access VPN 4 5 Select Interface 4 6 Configuring VPN Tunnels 4 6 Configuration Recommendations 4 6 Tips and Troubleshooting 5 1 C...

Page 5: ...Contents v Cisco PIX Device Manager Installation Guide Version 3 0 78 15483 01 Enabling TFTP Access on a Linux System A 2 TFTP Download Error Codes A 3 I N D E X ...

Page 6: ...Contents vi Cisco PIX Device Manager Installation Guide Version 3 0 78 15483 01 ...

Page 7: ...ument Conventions page xiii Terms and Acronyms page xiv Related Documentation page xv Obtaining Documentation page xv Obtaining Technical Assistance page xvi Obtaining Additional Publications and Information page xvii Document Objectives This guide describes how to install and access the Cisco PIX Device Manager PDM software Audience This guide is for network administrators who perform the followi...

Page 8: ...tés Warnung Das Installieren Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem qualifiziertem Personal gestattet werden Figyelem A berendezést csak szakképzett személyek helyezhetik üzembe cserélhetik és tarthatják karban Avvertenza Questo apparato può essere installato sostituito o mantenuto unicamente da un personale competente Advarsel Bare opplært og kvalifisert personell skal for...

Page 9: ... bij elektrische schakelingen betrokken risico s en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen Voor een vertaling van de waarschuwingen die in deze publicatie verschijnen dient u de vertaalde veiligheidswaarschuwingen te raadplegen die bij dit apparaat worden geleverd Opmerking BEWAAR DEZE INSTRUCTIES Opmerking Deze documentatie dient gebruikt te worden in ...

Page 10: ...brauch in Verbindung mit dem Installationshandbuch für Ihr Gerät bestimmt das dem Gerät beiliegt Entnehmen Sie bitte alle weiteren Informationen dem Handbuch Installations oder Konfigurationshandbuch o Ä für Ihr spezifisches Gerät Figyelem FONTOS BIZTONSÁGI ELÕÍRÁSOK Ez a figyelmezetõ jel veszélyre utal Sérülésveszélyt rejtõ helyzetben van Mielõtt bármely berendezésen munkát végezte legyen figyele...

Page 11: ...ção destina se a ser utilizada em conjunto com o manual de instalação incluído com o produto específico Consulte o manual de instalação o manual de configuração ou outra documentação adicional inclusa para obter mais informações Advertencia INSTRUCCIONES IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro Existe riesgo para su integridad física Antes de manipular cualquier equipo conside...

Page 12: ...xii Cisco PIX Device Manager Installation Guide 78 15483 01 Preface Safety Warning Description ...

Page 13: ...menu items Selecting a menu item or screen is indicated by the following convention Click Start Settings Control Panel Notes cautionary statements and safety warnings use these conventions Note Means reader take note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful You are capable of doing something that might result in equip...

Page 14: ...cit IV Explicit Initialization Vector Gb Gigabit Gbps Gigabits per second ICMP Internet Control Message Protocol IKE Internet Key Exchange ISAKMP Internet Security Association and Key Management Protocol IDS Intrusion Detection System JVM Java Virtual Machine MB Megabyte Mbps Megabits per second MD5 Message Digest 5 MD5 PCI Peripheral Component Interconnect PDM PIX Device Manager PIX PIX Firewall ...

Page 15: ...Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated regularly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual or quarterly subscription Registered Cisco com users can order a single...

Page 16: ...com features the Cisco TAC website as an online starting point for technical assistance Cisco TAC Website The Cisco TAC website http www cisco com tac provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The Cisco TAC website is available 24 hours a day 365 days a year Accessing all the tools on the Cisco TAC website requires a...

Page 17: ...effect on your business operations Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online and printed sources The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services Access the Cisco Product Catalog at this URL http www cisco...

Page 18: ...g professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about_cisco_the_internet_protocol_journal html Training Cisco offers world class networking training Current offerings in network training are listed at this URL http www cisco com en US learnin...

Page 19: ...configure manage and monitor security policies across a network PDM Startup Wizard Creates a basic configuration that allows packets to flow securely through the PIX Firewall from the inside to the outside network VPN Wizard Creates a basic configuration that lets you easily set up a remote access VPN or site to site VPN Monitoring and Reporting Tools Provides real time and historical data summari...

Page 20: ...vanced Encryption Standard AES You can protect access with a valid username and password either on the PIX Firewall or through an authentication server Data Encryption Overview This section describes data encryption including the IPSec IKE and certification authority CA interoperability features Note For additional information on these features refer to the IP Security and Encryption chapter in th...

Page 21: ...H Authentication Header is a security protocol that provides data authentication and optional antireplay services The AH protocol uses various authentication algorithms PIX Firewall software has implemented the mandatory MD5 and SHA HMAC variants authentication algorithms The AH protocol provides antireplay services Explicit IV Explicit Initialization Vector is a sequence of random bytes appended ...

Page 22: ...netmgtsw ps2032 products_installation_guides_books_list h tml This section includes the following topics PIX Firewall System Interoperability with PDM page 4 Flash Memory Requirements page 5 Maximum Configuration File Size page 5 Software Requirements page 6 Upgrading to a New Software Release page 6 PIX Firewall System Interoperability with PDM Table 1 1 lists the PIX Firewall System requirements...

Page 23: ...nchronization time During a system reload To determine the size of your configuration file enter the show flashfs command at the PIX Firewall CLI prompt View the output which begins with file 1 The number labeled length on the same line is the configuration file size in bytes For example pixfirewall show flashfs flash file system version 3 magic 0x12345679 file 0 origin 0 length 1925176 file 1 ori...

Page 24: ...at http www cisco com cgi bin Software FormManager formgenerator pl pid 221 fid 324 Use the show version command to verify the software version of your PIX Firewall unit Upgrading to a New Software Release If you registered Cisco user refer to the Upgrading Software for the Cisco Secure PIX Firewall document at the following URL http www cisco com en US products hw vpndevc ps2030 products_tech_not...

Page 25: ...ailable if you are using the Java Plug in 1 3 1 1 4 0 and 1 4 1 and not a beta version a Click Tools Internet Options b Click the Advanced tab c In the Java Sun section clear the Use Java 2 check box HTTP 1 1 Settings for Internet Options Advanced HTTP 1 1 settings should use HTTP 1 1 for both proxy and non proxy connections Secure Sockets Layer SSL Browser support for SSL must be enabled The supp...

Page 26: ...emory 256 MB Display Resolution and Colors 1024 x 768 pixels and 256 colors Network Connection Connection speed 56 Kbps 384 Kbps DSL or cable recommended Table 1 5 Supported and Recommended Windows Platforms for PDM 3 0 Operating System Browser JVM Supported Windows Platforms Windows 98 Windows NT 4 0 Service Pack 4 and higher Windows 2000 Service Pack 3 Windows ME Windows XP Internet Explorer 5 5...

Page 27: ... or cable recommended Table 1 7 Supported and Recommended Sun Solaris Platforms for PDM 3 0 Operating System Browser JVM Supported Sun Solaris Platforms Sun Solaris 2 8 or 2 9 running CDE window manager Netscape 4 781 1 Netscape Communicator 4 79 is not supported Native2 JVM 2 Native refers to the built in JVM that ships with the browser Recommended Sun Solaris Platforms Sun Solaris 2 8 running CD...

Page 28: ... PDM 3 0 Operating System Browser JVM Supported Red Hat Linux Platforms Red Hat Linux 7 0 7 1 7 2 7 3 or 8 0 running GNOME or KDE Netscape 4 7x on Red Hat 7 x Native1 JVM 1 Native refers to the built in JVM that ships with the browser Mozilla 1 0 1 on Red Hat 8 0 Java Plug in 1 4 1 Recommended Red Hat Linux Platforms Red Hat Linux 8 0 Mozilla 1 0 1 Java Plug in 1 4 1_02 ...

Page 29: ...ntical Most PIX Firewall CLI commands are fully supported by PDM If you are using PDM with an existing firewall configuration refer to PDM Support for PIX Firewall CLI Commands for more information Multiple PDM Sessions PDM allows multiple PCs or workstations to each have one browser session open with the same firewall However only one session per browser per PC or workstation is supported for a p...

Page 30: ...ificates that you entered manually Installation Checklist Confirm the following before you install PDM Verify that all system requirements have been met See the requirements listed in Chapter 1 Overview For example the PIX Firewall unit must be running PIX Firewall software Version 6 3 and have a DES 3DES or AES activation key to use PDM Version 3 0 Confirm that you are running PIX Firewall softwa...

Page 31: ...e PIX Firewall software Version 6 3 and PDM Version 3 0 both the PIX Firewall image and the PDM image must be installed on your failover units If you are using PDM with an existing PIX Firewall configuration refer to the appropriate version of the Cisco PIX Device Manager Release Notes for information on which commands are supported and which are not PDM works with any configuration whether create...

Page 32: ...rity and a 16 MB file size limitation Before using TFTP determine the IP address of your server This section provides the information required to determine your IP address and includes the following topics Windows NT Windows 2000 or Windows XP page 2 4 Windows 98 or Windows ME page 2 4 Sun Solaris page 2 5 Linux page 2 5 Windows NT Windows 2000 or Windows XP On a Windows workstation click Start Ac...

Page 33: ...o view your IP address as shown in the following example sbin ifconfig eth0 Link encap Ethernet HWaddr 00 D0 B7 5D C0 56 inet addr 209 165 200 225 Bcast 209 165 200 255 Mask 255 255 255 224 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 189576 errors 0 dropped 0 overruns 0 frame 0 TX packets 414837371 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 Interrupt 10 Bas...

Page 34: ...2 6 Cisco PIX Device Manager Installation Guide 78 15483 01 Chapter 2 Preparing to Install PDM Determining the IP Address of Your Server ...

Page 35: ...the Web Step 1 Go to http www cisco com using a web browser Step 2 On the menu bar click LOGIN Step 3 Enter your Cisco com username and password and click OK Note To register as a Cisco com user and obtain a username and password go to this URL http tools cisco com RPF register register do Step 4 Enter http www cisco com cgi bin tablebuild pl pix in the web address area of your web browser and pre...

Page 36: ...at Reader which is free and available at http www adobe com products acrobat readstep2 html Step 7 Enter quit to exit Installing PDM Perform the following steps to install PDM Step 1 Follow these steps to set up a console connection from a Microsoft Windows workstation to your PIX Firewall unit unless you already have a console connection a Power off your PIX Firewall unit b Connect the serial por...

Page 37: ...ash 64MB RAM Flash i28F640J5 0x300 BIOS Flash AT29C257 0xfffd8000 mcwa i82559 Ethernet at irq 10 MAC 0050 54ff 3772 mcwa i82559 Ethernet at irq 7 MAC 0050 54ff 3773 mcwa i82559 Ethernet at irq 11 MAC 00d0 b792 409d c i s c o S y s t e m s Private Internet eXchange Cisco PIX Firewall Cisco PIX Firewall Version 6 3 Licensed Features Failover Enabled VPN DES Enabled VPN 3DES Enabled Maximum Interface...

Page 38: ...paring to Install PDM Loading the PDM Image Perform the following steps to load the PDM image file onto the PIX Firewall Step 1 Enter the following at the command prompt to load the PDM image file pixfirewall copy tftp Your_TFTP_Server_IP_Address Your_pdmfile_name flash pdm Or you can enter the generic command and follow the prompts pixfirewall copy tftp flash pdm Step 2 Enter the following comman...

Page 39: ...hentication every time you launch PDM unless you configured your PIX Firewall to use another AAA server for authentication in which case the AAA server provides the authentication Step 2 Clock UTC Year 2001 Month Aug Day 27 Time 22 47 37 Set the PIX Firewall clock to Universal Coordinated Time UTC also known as Greenwich Mean Time or GMT For example if you are in the Pacific Daylight Savings time ...

Page 40: ...3 6 Cisco PIX Device Manager Installation Guide 78 15483 01 Chapter 3 Installing PDM Loading the PDM Image Step 7 Click Exit Step 8 Click Yes to exit HyperTerminal ...

Page 41: ...rface_ip_address where pix_inside_interface_ip_address is the IP address of the inside interface of your PIX Firewall entered in standard number format For the PIX 501 and PIX 506 506E the factory default inside interface address is as follows inside IP address to 192 168 1 1 Enter https 192 168 1 1 for the PIX 501 and PIX 506 506E platforms This launches PDM Note Ensure that you add the s to http...

Page 42: ...or more information on how to use PDM see the online Help at http www cisco com univercd cc td doc product iaabu pix pdm v_30 pdm30olh pdf Starting PDM with Netscape Navigator Perform the following steps to start PDM with Netscape Navigator Step 1 On a Netscape Navigator browser running on a workstation connected to the PIX Firewall unit enter the following https 172 23 59 230 This launches PDM St...

Page 43: ... Home page is updated every ten seconds except for the Device Information You can access the Home page any time by clicking Home on the main toolbar Note If the interface is configured to use DHCP or PPPoE to obtain an IP address and running PIX Firewall Version 6 3 or higher your IP address will be displayed in the Interface Status table If you are running an earlier version of the PIX Firewall s...

Page 44: ...the link status of the interface A red icon is displayed if the physical status of the link is down and a green icon is displayed if the physical status of the link is up Note that on a PIX 501 the inside interface link will always be displayed as up because this interface acts as a built in switch Be sure to check for physical connectivity on the inside interface of a PIX 501 Current Kbps Display...

Page 45: ...N configuration before running this wizard and identify the interface to use for each remote IPSec peer with which you need to establish secure connectivity To set up your PIX Firewall as a remote access client in relation to another PIX Firewall or Cisco VPN Concentrator select the Startup Wizard from the Wizards menu You can configure the VPN Wizard as follows Site to Site VPN page 4 5 Remote Ac...

Page 46: ...a plug in or with the Java Plug in but not as the default JVM PDM Version 3 0 supports the Java plug in for browsers When using Windows 2000 or later fastest loading of PDM can be achieved by editing the Windows configuration file hosts Step 1 Locate the hosts file Under Windows 2000 the location of the hosts file is C WINNT system32 drivers etc hosts Step 2 Select the file right click and select ...

Page 47: ...interface inside at the console command prompt to check that the IP address you typed into your web browser is the same IP address that you assigned to the inside interface of your PIX Firewall these IP addresses must be the same to make a connection Step 2 Check the networking setup of your console workstation to see how it is connected to the PIX Firewall Step 3 Check that your network cabling i...

Page 48: ...t Step 7 If you still cannot access PDM from your browser refer to the Preface Tips on Using PDM For ease when using PDM follow these tips You can view the size of your configuration from the PIX Firewall console Either connect a computer to the PIX Firewall unit or use Telnet to access the console After entering the enable mode password use the show flashfs command to view the configuration size ...

Page 49: ...Once the PDM applet is loaded on your workstation the link speed impact on PDM operation is negligible If your workstation s resources are running low you should close and reopen your browser before launching PDM For information on PDM caveats refer to the Caveats section of the Cisco PIX Device Manager Release Notes Version 3 0 Troubleshooting For information on PDM caveats refer to the caveats s...

Page 50: ... the show version command to check that you have the proper activation key to use DES or 3DES If you do not obtain an activation key that supports this requirement before continuing If after confirming that your activation key supports using DES or 3DES you still cannot connect refer to Checking Your Connection to the PIX Firewall Clicking Grant causes PDM to crash If you are using PDM with Netsca...

Page 51: ...ult Java Virtual Machine JVM Do the following to ensure that the Java Plug in is your default JVM In Internet Explorer click Tools Internet Options Click the Advanced tab Scroll down Look for a Java Sun section If there is one confirm that Use Java 2 is checked In Netscape click Edit Preferences Click Advanced Make sure the Enable Java Plugin check box is checked User cannot access PDM If more tha...

Page 52: ...ing your PIX Firewall using an IP address instead of a host name the performance of PDM is dramatically slower This occurs if the PIX Firewall host name is not in DNS or in the local hosts file Assure that the PIX Firewall host name is in DNS If you are running Windows and there is no DNS in your network or your DNS does not have the PIX Firewall entry modify the hosts file On Windows NT 2000 and ...

Page 53: ...ning a Windows TFTP Server The Microsoft Windows based TFTP server previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems This software suffers from a security bug described in http online securityfocus com bid 2886 Persons still using the server should consider replacing it with any of the high quality freeware and shareware TFTP servers As a histor...

Page 54: ... you append s directory in the previous step View the in tftpd man page for more information Step 4 Either reboot your system or use the following commands to find the inetd process and send it the SIGHUP signal to force it to reread the inetd conf file bin ps ef grep inetd kill 1 inetd_process_ID Enabling TFTP Access on a Linux System Follow these steps to enable TFTP access on a Linux system Not...

Page 55: ... stop Table A 1 TFTP Error Code Numeric Values Error Code Description 1 Timeout between the PIX Firewall and TFTP server 2 The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet 3 The received packet was not from the server specified in the server command 4 The IP header length was not big enough to be a valid TFTP packet 5 The IP protocol type on the r...

Page 56: ...A 4 Cisco PIX Device Manager Installation Guide 78 15483 01 Appendix A Using a TFTP Server TFTP Download Error Codes ...

Page 57: ...e 3 4 configure terminal command 3 4 connection checking 5 1 pinging 5 1 copy tftp flash command 3 4 D Data 1 2 Data Encryption Standard DES A 1 F failover preparation 2 3 H Home Page 4 3 https 4 1 5 2 5 4 I IP address administrator 5 5 TFTP server 2 4 workstation 2 4 J JDK version 1 7 K key activation A 1 license 2 3 L license key 2 3 M maximum number of PDM sessions 5 5 module VPN acceleration s...

Page 58: ... command 3 4 prompts 3 5 show flashfs command 5 2 show ip interface inside command 5 1 show version command 2 2 startup wizard 4 4 T terms list of xiv terms and acronyms xiv TFTP error codes A 3 Linux 2 5 server 2 2 A 1 Sun Solaris A 2 UNIX A 2 using A 1 Windows 2 4 troubleshooting accessing PDM 5 4 5 5 common symptoms 5 3 launching PDM 5 6 matrix 5 3 starting PDM 5 3 V VPN Acceleration Module see...