Cisco Systems PIX 506 User Manual

Size:
709.78 Kb
Download

Quick Start Guide

Cisco PIX 506/506E Firewall

Quick Start Guide

For Cisco PIX Firewall Version 6.2 and PDMVersion 2.0

1 About the Cisco PIX 506/506E Firewall 2

2 Check Items Included 3

3 Connect the Cables 4

4 Power On the PIX 506/506E 5

5 Check the LEDs 6

6 Configuring the PIX 506/506E 7

7 PDM Startup Wizard 8 8 Alternative Ways to Access the PIX 506/506E10 9 Upgrade to DES or 3DES 11

10 Restore the Default Configuration 12

1 About the Cisco PIX 506/506E

Firewall

The PIX 506/506E delivers enterprise-classsecurity for remote office/branch office environments in a robust, reliable security appliance. Ideal for securing Internet connections for remote/branch offices, the PIX 506/506E, part of themarket-leadingCisco PIX Firewall Series, provides a wide range of rich security capabilities and remote management capabilities in acost-effective,high-performancesolution:

F

I

R

E

W

A

 

 

 

 

 

L

L

 

 

 

 

 

Stateful inspection security based on state-of-the-artAdaptive Security Algorithm (ASA)

Supports over 100 predefined applications, services, and protocols for flexible access control

Virtual Private Networking (VPN) for secure remote network access using IKE/IPSec standards

Intrusion protection from over 55 different network-basedattacks

URL filtering of outbound web traffic via industry-leading,third-partyURL filtering products

Hardware Features

External power supply

200-MHz(PIX506)/300-MHz(PIX 506E) processor

32-MBRAM,8-MBFlash memory

1 autosensing 10BaseT Ethernet port for an outside connection to the Internet (port 0)

1 autosensing 10BaseT Ethernet port for a connection to your internal network

Serial console port for administrative access

Front panel LEDs for appliance and link status

20-Mbpscleartext firewall throughput

10 Mbps (PIX 506)/16 Mbps (PIX 506E) VPN throughput (3DES/SHA1)

Software Features

Supports PIX Firewall version 6.2 a secure, purpose-builtembedded operating system

Includes plug-and-playdefault configuration for simplified installation

Includes Cisco PIX Device Manager (PDM) for intuitive, web-basedadministration of PIX Firewalls

Internal DHCP server supports up to 256 DHCP address leases

Supports up to 5 remote access, or site-to-site,VPN peers

Supports 56-bitDES and168-bit3DES, with optional licenses. Referto“Upgrade to DES or 3DES” for more information.

2

2 Check Items Included

ACT

LINK

 

 

 

 

DC

 

ACT

 

ETHERNET 1

LINK

 

POWER

 

ETHERNET 0

 

INPUT

 

 

 

 

USB

CONSOLE

 

 

 

 

Cisco PIX 506E

 

 

 

 

 

PC terminal adapter

 

 

 

(74-0495-01)

 

 

 

Blue

 

 

 

console cable

Console cable adapter

(72-1259-01)

(29-0810-01)

 

 

 

 

 

Yellow

 

 

 

Ethernet cable

 

 

 

(72-1482-01)

Cisco

ProductFirewallPIX

CD

Power supply and cable (US shown)

506E power supply (341-0007-01)

Yellow Ethernet cable (72-1482-01)

Safety

 

PIX

 

Compliance

GuideStart

Guide

and

Quick

506E

 

 

 

 

Documentation

3

3 Connect the Cables

Yellow

Ethernet cables

Computer or other network device

Switch

aptop computer

Router

 

Printer

Follow these steps to connect the cables:

Cisco PIX 506E

ACT

 

 

 

ETHERN

ET 1

LINK

 

 

ACT

 

 

 

LINK

 

 

 

ETHERNET 0

 

 

 

USB

DC

 

 

CONSOLE

IPNOPWUETR

Yellow

Power

Ethernet

adapter

cable

 

Internet

 

71116

Step 1 Place the chassis on a flat, stable surface. The chassis is not rack mountable.

Step 2 Use the yellow Ethernet cable(72-1482-01)provided to connect the outside Ethernet interface, Ethernet 0, to a DSL modem, cable modem, or router.

Step 3 Use the other Ethernet cable(72-1482-01)provided to connect the inside Ethernet interface, Ethernet 1, to a switch or hub.

4

4 Power On the PIX 506/506E

ACT

LINK

 

 

 

ACT

 

 

DC

ETHERNET 1

LINK

 

ETHERNET 0

 

 

POWER

 

 

USB

INPUT

 

 

 

CONSOLE

DC

POWER INPUT

Cisco PIX 506E

Power supply

Follow these steps to power on the PIX Firewall:

67932

Step 1 Connect the small, square connector of the power supply cable to the power connector on the rear panel.

Step 2 Connect the AC power connector of the power supply input cable to an electrical outlet.

Step 3 Set the power switch to the on (|) position.

5

5 Check the LEDs

CISCO PIX 506E

F I R E W A L L

POWER ACT NETWORK

67933

If all LEDs are operating as expected (see Table 1 andTable 2), this concludes the hardware installation. The pages that follow include instructions on running PDM and additional optional procedures.

Table 1

PIX 506/506E Front Panel LEDs

 

 

 

 

LED

 

State

Description

 

 

 

 

POWER

 

Green

The device is powered on.

 

 

 

 

 

 

Off

The device is powered off.

 

 

 

 

ACT

 

Flashing green

The software image has been loaded.

 

 

 

 

 

 

Off

The device is powered off.

 

 

 

 

Network

 

Flashing green

One or more network interfaces are passing traffic.

 

 

 

 

 

 

Off

No network interfaces are passing traffic.

 

 

 

 

DC

POWER

INPUT

ACT

 

Insert picture of 506/506E here.

 

LINK

ACT

LINK

 

78186

 

ETHERNET 1

ETHERNET 0

USB

CONSOLE

Table 2

PIX 506/506E Rear Panel LEDs

 

 

 

 

LED

 

State

Description

 

 

 

 

ACT

 

On

Network activity is present on the port.

 

 

 

 

 

 

Off

No network activity is present on the port.

 

 

 

 

6

Table 2

PIX 506/506E Rear Panel LEDs

 

 

 

 

LED

 

State

Description

 

 

 

 

LINK

 

On

Data is passing on the port.

 

 

 

 

 

 

Off

No data is passing on the port.

 

 

 

 

6 Configuring the PIX 506/506E

The PIX 506/506E comes with a factory default configuration that meets the needs of most broadband networking environments. The factory default configuration on the PIX 506/506E protects your inside network from any unsolicited traffic. It is configured to use DHCP on the outside interface to acquire an IP address. A default DHCP server address pool is included for hosts on the inside interface.

PDM contains a Startup Wizard that lets you easily change settings to suit your needs.

Instances in which it might be necessary to change or make additional changes to the default configuration include the following:

To create administrative and Telnet passwords

Note We highly recommend that you change the administrative and Telnet passwords from their default settings to secure the administration of the PIX Firewall.

To configure Point-to-PointProtocol over Ethernet (PPPoE) or a static IP address for an outside interface

To configure VPN and Auto Update features

7

7 PDM Startup Wizard

The PIX 506/506E contains an integrated configuration utility called Cisco PIX Device Manager (PDM). PDM is a web browser-basedconfiguration tool designed to help you set up, configure, and monitor the PIX Firewall.

PDM is preinstalled on the PIX 506/506E. To access PDM, make sure JavaScript and Java are enabled in your web browser. For best performance, we recommend that you use Microsoft Internet Explorer 5.5 or a higher release. Refer to the Cisco PIX Device Manager Installation Guide for more information on operating system and web browser environments supported by PDM.

8

PDM version 2.0 and higher releases include a Startup Wizard for initial configuration. Follow these steps to load PDM and use the Startup Wizard:

Step 1 Use an Ethernet cable to connect your PC to the inside port (Ethernet 1) on the rear panel of the PIX Firewall.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the

PIX Firewall) or assign a static IP address to your PC by selecting an address out of the 192.168.1.0 network.

Note The inside interface of the PIX Firewall is assigned 192.168.1.1, so choose a different IP address.

Step 3 Check the ACT LED on the rear panel of the PIX Firewall (seeTable 2 on page 6) to verify that your PC has basic connectivity to the inside port (Ethernet 1). When connectivity occurs, the ACT LED next to the port lights up solid green.

Step 4 To access the Startup Wizard, use a PC connected to the inside port and enter the URLhttps://192.168.1.1/startup.html into your browser.

Note It is very important to enter the “s” in “https://192.168.1.1,” which indicates a secure connection. If you enter “http://192.168.1.1” without the “s” in “https,” you cannot access the PIX Firewall.

Step 5 Accept the certificates and follow the instructions in the Startup Wizard. For online help, click the Help button at the bottom of the Startup Wizard window.

9

8 Alternative Ways to Access the PIX 506/506E

You can use a serial terminal emulator from a PC or workstation connected to the Console port for local administrative access.

You can also use PDM or a console to configure Telnet access to the PIX 506/506E. By default, Telnet access is not permitted. To Telnet to the PIX 506/506E from the outside perimeter of the firewall, configure an outside IP address and IPSec for a secure Telnet session. For more information, refer to the Cisco PIX Firewall and VPN Configuration Guide.

ACT

 

LINK

 

 

 

ETHERNET

ACT

LINK

 

 

1

 

DC

 

ETHERNET 0

 

 

POWER

 

 

 

USB

INPUT

 

 

 

CONSOLE

 

 

 

 

67935

DC

POWER

INPUT

Cisco PIX 506E

Blue console cable

PC terminal adapter

To connect a console for local administrative access:

Step 1 Plug one end of the console cable adapter into a standard9-pinPC serial port.

Step 2 Plug one end of the blue console cable(72-1259-01)into the PC terminal adapter.

Step 3 Plug the other end of the blue console cable into the Console port.

Step 4 Configure the PC terminal emulation software or terminal for 9600 baud, 8 data bits, no parity, and 1 stop bit.

Refer to the Cisco PIX Firewall and VPN Configuration Guide for information about how to use thecommand-lineinterface (CLI).

10

9 Upgrade to DES or 3DES

Note The following instructions are applicable to PIX Firewall version 6.2 and higher releases. If you are not running PIX Firewall version 6.2, refer to the Quick Start Guide for the version of software installed on your PIX Firewall.

To upgrade features you did not specify at the time of purchase, you need to use an activation key. The activation key lets you add software features to the PIX 506/506E, such as DES or 3DES.

To request a free activation key for DES, complete the online form at the following website:

http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

Note If you are unable to access this form because you do not have a CCO login, send ane-mailto licensing@cisco.com. In thee-mailinclude the PIX Firewall serial number as it appears in theshow version command and request a free56-bitDES key.

To purchase an activation key for 3DES (PIX-506-SW-3DES=),go to Cisco’s ordering website:

http://www.cisco.com/public/Ordering_root.shtml

Enter the activation key only after you have downloaded an image—notfrom the command line or without rebooting first.

Note You can verify if you have the DES or 3DES feature by entering theshow activation-key command.

11

Follow these steps to use an activation key:

Step 1 Ensure that the image in Flash memory and the Running Image are the same.

Step 2 From the CLI, enter theactivation-key activation-key-four-tuple command, replacingactivation-key-four-tuple with the activation key obtained from Cisco.

Note Make sure that you are in config mode to enter a new activation key.

Step 3 Reboot the PIX Firewall by powering it off and then on again.

After the key update is complete, the system reloads again to update the running image.

10 Restore the Default Configuration

Caution Entering theconfig factory-default command erases the current running configuration.

If you inadvertently erase the default configuration or need to restore the default configuration, you can restore the factory default values in one of the following ways:

Run the Startup Wizard and click Reset PIX to Factory Default Configuration from the Starting Configuration page.

Use PDM and click File>Reset PIX to Factory Default Configuration.

Use PDM or a terminal emulation program and enter the following commands:

 

Command

Description

 

 

 

Step 1

config factory-default[<inside ip

Erases the running configuration and replaces it with

 

address> [address mask]] 1

the factory default configuration.

Step 2

write memory

Writes the factory default configuration to Flash

 

 

memory.

 

 

 

1.If the optional inside IP address and optional address mask are specified, the factory-defaultconfiguration will reflect the specified IP address.

12

Refer to the following website for detailed command information and configuration examples:

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmd_ref/index.htm

The Cisco TAC website is available to all customers who need technical assistance. To access the TAC Website go to:

http://www.cisco.com/tac

11 Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROMpackage, which may have shipped with your product. The DocumentationCD-ROMis updated regularly and may be more current than printed documentation. TheCD-ROMpackage is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM(product numberDOC-CONDOCCD=)through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

13

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA.) at 408 526-7208or, elsewhere in North America, by calling 800553-NETS(6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can send your comments in e-mailtobug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

12 Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour,award-winningtechnical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

14

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific:+61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55

USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Yournetwork is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operationof an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commitfull-timeresources during normal business hours to resolve the situation.

15

Priority 3 (P3)—Operationalperformance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—Yourequire information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

13 Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access theCisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depthonline resources. You can access Packet magazine at this URL:

http://www.cisco.com/go/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Ciscooffersworld-classnetworking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

16

 

 

 

 

 

Americas Headquarters

Asia Pacific Headquarters

 

 

 

 

 

 

 

 

 

 

 

 

 

Corporate Headquarters

European Headquarters

 

 

Cisco Systems, Inc.

Cisco Systems Europe

Cisco Systems, Inc.

Cisco Systems, Inc.

 

170 West Tasman Drive

11 Rue Camille Desmoulins

170 West Tasman Drive

Capital Tower

 

 

San Jose, CA 95134-1706

92782 Issy-les-Moulineaux

San Jose, CA 95134-1706

168 Robinson Road

 

USA

 

Cedex 9

USA

 

#22-01to#29-01

 

www.cisco.com

France

www.cisco.com

Singapore 068912

 

Tel:

408 526-4000

www-europe.cisco.com

Tel:

408 526-7660

www.cisco.com

 

 

800 553-NETS(6387)

Tel:

33 1 58 04 60 00

 

Fax:

408 527-0883

Tel:

+65 317

7777

 

Fax:

408 526-4100

Fax:

33 1 58 04 61 00

 

 

 

Fax:

+65 317

7799

 

Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the

C i s c o W e b s i t e a t w w w . c i s c o . c o m / g o / o f f i c e s

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Printed in the USA on recycled paper containing 10% postconsumer waste.

78-14215-01DOC-7814215=

18