Cisco Systems 78-11180-01 User Manual
CHAPTER
Installing a PIX Firewall
The following sections in this chapter describe how to install a PIX Firewall:
• Installation Overview
• Before You Begin the Installation
• Installing a PIX 506
• Installing a PIX 515
• Installing a PIX 525
• Installing a PIX 520 or Earlier Model
• Startup Messages
• Software Installation Notes
2
Installation Overview
Follow these steps to install a PIX Firewall:
Note If your PIX Firewall model supports a failover configuration, perform the steps that follow
only on the Primary (Active) unit. Refer to Chapter 3, “Installing Failover” for
information about setting up a failover configuration. (Does not apply to the PIX 506.)
Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the
Cisco Secure PIX Firewall Version 5.2 document. You can view this online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrcs52.htm
Step 2 Completely read the release notes for your respective software version referenced in the section
“Related Documentation” in “About This Manual.”
Step 3 Unpack the PIX Firewall. The PIX Firewall consists of two main components, the PIX Firewall unit and
a separate accessory kit. The accessory kit contains documentation, a power supply or cord, rack
mounting hardware (not applicable to the PIX 506), and additional software you can use with your
PIX Firewall.
Step 4 Place the PIX Firewall on a stable work surface.
Step 5 If you need to download software, refer to the “Software Installation Notes” section.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-1
Before You Begin the Installation
Before You Begin the Installation
Note The information you gather here is required during configuration and is a reminder to find
it while installing your PIX Firewall—before beginning the configuration. You can use
this information with Chapter 9, “Installing the PIX Firewall Setup Wizard” or with the
Cisco PIX Firewall Configuration Guide, Version 5.2.
Before you begin the installation, gather information about each network interface that will be
connected to the PIX Firewall. If you have a PIX 506, all you need are IP addresses for the two
interfaces. All other information in Table 2-1 will be provided automatically in the configuration that
comes with the PIX 506. For models other than the PIX 506, locate the following information before
proceeding.
Table 2-1 Configuration Information
Chapter 2 Installing a PIX Firewall
Outside
Network
Inside
Network Perimeter 1 Perimeter 2 Perimeter 3 Perimeter 4
Interface Speed
IP Address and
Netmask
Interface Name—HW
Interface Name—SW
Security Level
MTU Size
To prepare to configure the PIX Firewall, locate the following information:
• Interface speed—The speed of each network interface. You only need to specify a value for
Ethernet interface boards that do not autosense the interface’s speed, connection type, and full/half
duplex support; or for Token Ring interface boards. Use the interface command to enter the speed
for each interface in the configuration.
• IP address and netmask—The IP address and network mask for each network interface. The
IP address for each interface must be different from any others you use in your network. Use the ip
address command to enter the IP address and network mask for each interface in the configuration.
• Interface name—HW—The hardware name for the interface, such as ethernet0, ethernet1, token0,
token1, fddi0, fddi1, and so on. Use the nameif command to enter the hardware name for the
interface in the configuration.
2-2
• Interface name—SW—The software name for the interface, such as inside or outside. The inside
interface must be named “inside.” All other interfaces can have any name. Note that you will need
to enter this name frequently in the configuration. Use the nameif command to associate the
hardware and software names in the configuration.
• Security level—Used to determine the level of trust for each network interface. The outside
network must have a security level of 0 and the inside network must be 100. The perimeter
interfaces can be any value from 1 to 99. Use the nameif command to enter the security level in the
configuration.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
• MTU size—The maximum transmission unit (MTU) size for each network interface. You only need
to specify a value if you want to set an MTU size that differs from the default
(1,500 bytes/block for Ethernet; 8,192 bytes/block for Token Ring and FDDI).
In addition, you should determine the IP address of the outside default router and your network topology
and security policy. We recommend that you take a few minutes to draw a diagram of your network with
IP addresses, indicating which computers you are protecting, and which switches, routers, and hosts are
on each network.
Installing a PIX 506
This section includes the following topics:
• Introduction
• PIX 506 Installation Steps
• Configuring the PIX 506
Installing a PIX 506
Introduction
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The Front Panel LEDs, as shown in Figure 2-1, are as follows:
• POWER—On when the unit has power.
• ACT—Active indicator—On when the software image has been loaded on the PIX 506 unit.
• NETWORK—On when at least one network interface is passing traffic.
Figure 2-1 PIX 506 Front Panel LEDs
POWER ACT NETWORK
25735
PIX 506 back panel connectors and LEDS are shown Figure 2-2.
The LEDs for the RJ-45 network ports display the following transmission states:
• ACT—Shows network activity.
78-11180-01
• LINK—Shows that data is passing on the network to which the connector is attached.
The USB port to the left of the Console port is not used.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-3
Installing a PIX 506
Chapter 2 Installing a PIX Firewall
Figure 2-2 PIX 506 Back Panel
ACT(ivity)
PIX 506 Installation Steps
The PIX 506 should be placed on a flat, stable surface. The PIX 506 is not rack mountable.
Follow these steps to install a PIX 506:
Step 1 Use the RJ-45 Console port to connect a computer to enter configuration commands. Locate the serial
cable from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45
connectors, and one DB-9 connector and a DB-25 connector. Connect the cable as shown in Figure 2-3
so that you have either a DB-9 or DB-25 connector on one end as required by the serial port for your
computer, and the other end is the RJ-45 connector.
LED
ACT
ETHERNET 1
10BaseT
(RJ-45)
LINK
LED
LINK
ACT(ivity)
LED
ACT
ETHERNET 0
10BaseT
(RJ-45)
LINK
LED
LINK
USB
CONSOLE
USB
port
Console
port (RJ-45)
Power switch
DC
POWER
INPUT
38852
Connect the RJ-45 connector to the PIX 506 and connect the other end to the serial port connector on
your computer.
Figure 2-3 PIX 506 Serial Console Cable
DC
POWER
ACT
ETHERNET 1
LINK
ACT
LINK
ETHERNET 0
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
USB
CONSOLE
Console
port (RJ-45)
INPUT
Computer serial port
DB-9 or DB-25
38853
2-4
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Step 2 The inside or outside network connections can be made to either interface port on the PIX 506. Connect
the inside network cable to the interface connector marked ETHERNET 0 or ETHERNET 1. Connect
the outside network cable to the remaining Ethernet port. Refer to the “Configuring the PIX 506”
section for information on how to configure the ports.
Step 3 The PIX 506 uses an external AC to DC power supply. Power is supplied to the PIX 506 by connecting
the power supply to the back of the PIX 506 and connecting a separate AC power cord to the power
supply. Figure 2-4 displays the cable connection from the power supply to the PIX 506, and displays
the AC power cord connector (at the opposite end of the power supply).
Figure 2-4 Connecting the Power Supply Module to the PIX 506
ACT
ETHERNET 1
Installing a PIX 506
DC
POWER
INPUT
LINK
ACT
ETHERNET 0
LINK
USB
CONSOLE
38854
Step 4
When you are ready to start the PIX 506, power on the unit from the switch at the rear of the unit.
Configuring the PIX 506
If needed, you can use the PFSS (PIX Firewall Syslog Server) with the PIX 506. Refer to Chapter 4,
“Installing the PIX Firewall Syslog Server (PFSS),” for more information on the installation and use of
PFSS.
The PIX Firewall Setup Wizard provides an easy-to-use interface for building the initial PIX Firewall
configuration. For more information on the PIX Firewall Setup Wizard, see Chapter 9, “Installing the
PIX Firewall Setup Wizard.”
For more configuration information, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2,
which is available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Power supply
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-5
Installing a PIX 515
Installing a PIX 515
This section includes the following topics:
• Introduction
• Mounting the PIX 515
• PIX 515 Installation Steps
• Configuring the PIX 515
• PIX 515 Feature Licenses
Introduction
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The PIX 515 front panel LEDs are as follows (see Figure 2-5):
• POWER—On when the unit has power.
• ACT—On when the unit is the Active failover unit. If failover is not enabled, this light is on. If
failover is present, the light is on when the unit is the Active unit and off when the unit is in Standby
mode.
Chapter 2 Installing a PIX Firewall
• NETWORK—On when at least one network interface is passing traffic.
Figure 2-5 PIX 515 Front Panel LEDs
POWER ACT NETWORK
25735
2-6
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Refer to Figure 2-6 for a display of the controls and connectors on the PIX 515 back panel.
Figure 2-6 PIX 515 Features
Installing a PIX 515
100 Mbps
LED
LINK
LED
DO NOT INSTALL INTERFACE
CARDS WITH POWER APPLIED
100 Mbps
Link
10/100 ETHERNET 1
10/100BaseTX
ETHERNET 1
(RJ-45)
100 Mbps
LED
FDX
LED
FDX
100 Mbps
10/100BaseTX
LINK
LED
Link
10/100 ETHERNET 0
FDX
LED
FDX
ETHERNET 0
(RJ-45)
FAILOVER
CONSOLE
Console
port (RJ-45)
PIX-515
24298
Power switch
The LEDs for the network ports display the following transmission states:
• 100 Mbps—100 megabits per second 100BaseTX communication. If the light is off, that port is
using 10 megabits per second data exchange.
• LINK—Shows that data is passing on the network to which the connector is attached.
• FDX—Shows that the connection uses full-duplex data exchange where data can be transmitted and
received simultaneously. If this light is off, half-duplex is in effect.
The inside or outside network connections can be made to any available interface port on the PIX 515.
If you are only using the ETHERNET 0 and ETHERNET 1 ports, connect the inside network cable to
the interface connector marked ETHERNET 0 or ETHERNET 1. Connect the outside network cable to
the remaining Ethernet port. Refer to “Configuring the PIX 515” for information on how to configure
the ports.
The USB port to the left of the Console port is not used. The detachable plate above the ETHERNET 1
connector is also not used.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-7
Installing a PIX 515
Mounting the PIX 515
The PIX 515 can be mounted in a rack, on a wall, or on a flat surface.
If you do not wish to rack mount the unit, attach the rubber feet to the bottom of the unit as shown in
Figure 2-7.
Figure 2-7 Attaching the Rubber Feet to the PIX 515
Chapter 2 Installing a PIX Firewall
Fan
Rack Mounting
Step 1 Attach the bracket to the unit using the supplied screws. You can attach the brackets to the holes near
Step 2 Attach the unit to the equipment rack.
24301
Unused
Observe the following before installing the PIX 515 into an equipment rack:
• If you wish to install optional circuit boards or memory, you can install the brackets on the unit for
rack mounting, but do not put the PIX 515 in the equipment rack until you have installed the new
boards. The top panel of the PIX 515 must be removed to properly install or remove a circuit board.
Refer to Chapter 5, “Opening a PIX Firewall Chassis” for information on how to remove the chassis
top panel.
–
For more information on installing circuit boards, see Chapter 7, “Installing a Circuit Board.”
–
If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Use the following steps to install the PIX 515 in a rack:
the front of the unit.
2-8
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Vertical Mounting
To mount the PIX 515 vertically, attach the brackets to the side of the unit and mount the unit vertically
as shown in Figure 2-8.
Figure 2-8 Installing the PIX 515 Vertically
Installing a PIX 515
PIX-515
R
E
V
O
L
I
A
F
E
L
O
S
N
O
C
0
X
/
D
0
F
T
E
N
R
E
H
T
E
0
0
1
k
/
0
in
L
1
s
p
b
M
0
0
1
X
0
D
/
F
0
T
E
N
R
E
H
T
D
E
E
IE
C
L
0
A
P
0
F
k
P
R
/1
in
E
A
0
L
T
R
1
s
E
p
IN
b
W
L
L
M
O
A
0
P
0
T
1
H
S
IT
IN
T
W
O
S
D
N
R
O
A
D
C
PIX 515 Installation Steps
Use the following steps to install a PIX 515:
Step 1 Use the Console port to connect to a computer to enter configuration commands. Locate the serial cable
from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45 connectors,
and one DB-9 connector and a DB-25 connector. Connect the cable as shown in Figure 2-9 so that you
have either a DB-9 or DB-25 connector on one end as required by the serial port for your computer, and
the other end is the RJ-45 connector.
Connect the RJ-45 connector to the PIX 515 Console port and connect the other end to the serial port
connector on your computer.
24303
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-9
Installing a PIX 515
Figure 2-9 PIX 515 Serial Console Cable
PIX-515
100 Mbps
Link
10/100 ETHERNET 0
FDX
FAILOVER
CONSOLE
Chapter 2 Installing a PIX Firewall
Step 2
Console
port (RJ-45)
Computer serial port
DB-9 or DB-25
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
29226
If your unit has a four-port Ethernet card already installed, refer to Figure 2-10. (The four-port interface
card requires the PIX-515-UR license to be accessed.) If it has one or two single-port cards, refer to
Figure 2-11. If you need to install an optional circuit board such as a Private Link board, single-port
Ethernet board, FDDI board, or a four-port Ethernet board, refer to Chapter 5, “Opening a PIX Firewall
Chassis” for information about how to open the top panel of the chassis to install circuit boards.
Figure 2-10 Four-Port Ethernet Connectors in a PIX 515
Ethernet 5
Ethernet 3
D
O
N
O
T
IN
S
T
A
L
L
IN
T
E
R
F
A
C
E
C
A
R
D
S
W
IT
H
P
O
W
E
R
A
P
P
L
IE
Ethernet 2
Ethernet 4
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
10/1
0
0 E
TH
E
R
NE
T
1
Ethernet 1
Ethernet 0
PIX-515
F
A
IL
O
M
b
p
s
L
in
k
10/100 E
T
H
ER
V
E
R
F
D
X
N
E
T
0
C
O
N
S
O
LE
25733
2-10
Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left
the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed
interfaces is 6; do not add a single-port card in the extra slot below the four-port card.
Figure 2-11 Two Single-Port Ethernet Connectors in a PIX 515
Ethernet 2
D
O
N
O
T
IN
S
T
A
L
L
IN
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
IE
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
b
p
s
L
in
k
10/100 E
THE
R
N
E
T 1
1
0/1
00 E
TH
Ethernet 3
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
Ethernet 1
Ethernet 0
PIX-515
F
A
IL
O
V
E
R
F
D
X
E
RN
E
T
0
C
O
N
S
O
LE
25734
78-11180-01
Chapter 2 Installing a PIX Firewall
As shown in Figure 2-11, if your unit has one or two single-port Ethernet cards installed in the auxiliary
assembly on the left of the unit at the rear, the cards are numbered top to bottom so that the top card is
Ethernet 2 and the bottom card is Ethernet 3. (Additional interface cards require the PIX-515-UR
license to be accessed.)
Step 3 If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
Note Do not power on the failover units until the primary unit has been configured.
Step 4 When you are ready to start the PIX 515, power on the unit from the switch at the rear of the unit.
Configuring the PIX 515
The PIX Firewall Setup Wizard provides an easy-to-use interface for building the initial PIX Firewall
configuration. For more information on the PIX Firewall Setup Wizard, see Chapter 9, “Installing the
PIX Firewall Setup Wizard.”
Installing a PIX 515
For more configuration information, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2,
which is available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Refer to the next section for feature license options.
PIX 515 Feature Licenses
If you have a PIX-515-UR unrestricted feature license, the following options are available:
• If you have a second PIX 515 to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
• If needed, install the PIX Firewall Syslog Server as described in Chapter 4, “Installing the PIX
Firewall Syslog Server (PFSS).”
• If you need to install an optional circuit board such as a Private Link board, single-port Ethernet
board, FDDI board, or a four-port Ethernet board, refer to Chapter 5, “Opening a PIX Firewall
Chassis” for information about how to open the top panel of the chassis to install circuit boards.
78-11180-01
Note It is very important to open the top panel before installing circuit boards in the PIX 515.
Even though it may appear possible to add or remove cards from the back panel, removing
the top panel greatly simplifies the process.
• If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-11
Installing a PIX 525
Note If for any reason you may choose to downgrade to any software version, note that you need
to use the clear flashfs command before doing so. A new section has been added to Flash
memory that must be cleared before downgrading.
Installing a PIX 525
This section includes the following topics:
• Introduction
• PIX 525 Installation Steps
• Configuring the PIX 525
• PIX 525 Feature Licenses
Introduction
Chapter 2 Installing a PIX Firewall
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The PIX 525 is displayed in Figure 2-12.
Figure 2-12 PIX 525
POWER
ACTIVE
CISCO SECURITY PIX 525
FIREWALL
44009
SERIES
The rear panel of the PIX 525 is shown in Figure 2-13.
Figure 2-13 PIX 525 Rear Panel View
44010
2-12
O
100M
bps A
CT
LIN
K
100M
bps A
CT
LIN
10/100 E
TH
E
K
R
N
E
T
1
10/100 E
TH
E
R
N
E
T
0
U
S
B
CO
There are two LEDs on the front panel of the PIX 525 (see Figure 2-14). The LEDs function as follows:
• POWER—On when the unit has power.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
F
A
I
L
V
E
R
P
IX-525
NS
O
LE
78-11180-01
Loading...