CHAPTER
Installing a PIX Firewall
The following sections in this chapter describe how to install a PIX Firewall:
• Installation Overview
• Before You Begin the Installation
• Installing a PIX 506
• Installing a PIX 515
• Installing a PIX 525
• Installing a PIX 520 or Earlier Model
• Startup Messages
• Software Installation Notes
2
Installation Overview
Follow these steps to install a PIX Firewall:
Note If your PIX Firewall model supports a failover configuration, perform the steps that follow
only on the Primary (Active) unit. Refer to Chapter 3, “Installing Failover” for
information about setting up a failover configuration. (Does not apply to the PIX 506.)
Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the
Cisco Secure PIX Firewall Version 5.2 document. You can view this online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrcs52.htm
Step 2 Completely read the release notes for your respective software version referenced in the section
“Related Documentation” in “About This Manual.”
Step 3 Unpack the PIX Firewall. The PIX Firewall consists of two main components, the PIX Firewall unit and
a separate accessory kit. The accessory kit contains documentation, a power supply or cord, rack
mounting hardware (not applicable to the PIX 506), and additional software you can use with your
PIX Firewall.
Step 4 Place the PIX Firewall on a stable work surface.
Step 5 If you need to download software, refer to the “Software Installation Notes” section.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-1
Before You Begin the Installation
Before You Begin the Installation
Note The information you gather here is required during configuration and is a reminder to find
it while installing your PIX Firewall—before beginning the configuration. You can use
this information with Chapter 9, “Installing the PIX Firewall Setup Wizard” or with the
Cisco PIX Firewall Configuration Guide, Version 5.2.
Before you begin the installation, gather information about each network interface that will be
connected to the PIX Firewall. If you have a PIX 506, all you need are IP addresses for the two
interfaces. All other information in Table 2-1 will be provided automatically in the configuration that
comes with the PIX 506. For models other than the PIX 506, locate the following information before
proceeding.
Table 2-1 Configuration Information
Chapter 2 Installing a PIX Firewall
Outside
Network
Inside
Network Perimeter 1 Perimeter 2 Perimeter 3 Perimeter 4
Interface Speed
IP Address and
Netmask
Interface Name—HW
Interface Name—SW
Security Level
MTU Size
To prepare to configure the PIX Firewall, locate the following information:
• Interface speed—The speed of each network interface. You only need to specify a value for
Ethernet interface boards that do not autosense the interface’s speed, connection type, and full/half
duplex support; or for Token Ring interface boards. Use the interface command to enter the speed
for each interface in the configuration.
• IP address and netmask—The IP address and network mask for each network interface. The
IP address for each interface must be different from any others you use in your network. Use the ip
address command to enter the IP address and network mask for each interface in the configuration.
• Interface name—HW—The hardware name for the interface, such as ethernet0, ethernet1, token0,
token1, fddi0, fddi1, and so on. Use the nameif command to enter the hardware name for the
interface in the configuration.
2-2
• Interface name—SW—The software name for the interface, such as inside or outside. The inside
interface must be named “inside.” All other interfaces can have any name. Note that you will need
to enter this name frequently in the configuration. Use the nameif command to associate the
hardware and software names in the configuration.
• Security level—Used to determine the level of trust for each network interface. The outside
network must have a security level of 0 and the inside network must be 100. The perimeter
interfaces can be any value from 1 to 99. Use the nameif command to enter the security level in the
configuration.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
• MTU size—The maximum transmission unit (MTU) size for each network interface. You only need
to specify a value if you want to set an MTU size that differs from the default
(1,500 bytes/block for Ethernet; 8,192 bytes/block for Token Ring and FDDI).
In addition, you should determine the IP address of the outside default router and your network topology
and security policy. We recommend that you take a few minutes to draw a diagram of your network with
IP addresses, indicating which computers you are protecting, and which switches, routers, and hosts are
on each network.
Installing a PIX 506
This section includes the following topics:
• Introduction
• PIX 506 Installation Steps
• Configuring the PIX 506
Installing a PIX 506
Introduction
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The Front Panel LEDs, as shown in Figure 2-1, are as follows:
• POWER—On when the unit has power.
• ACT—Active indicator—On when the software image has been loaded on the PIX 506 unit.
• NETWORK—On when at least one network interface is passing traffic.
Figure 2-1 PIX 506 Front Panel LEDs
POWER ACT NETWORK
25735
PIX 506 back panel connectors and LEDS are shown Figure 2-2.
The LEDs for the RJ-45 network ports display the following transmission states:
• ACT—Shows network activity.
78-11180-01
• LINK—Shows that data is passing on the network to which the connector is attached.
The USB port to the left of the Console port is not used.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-3
Installing a PIX 506
Chapter 2 Installing a PIX Firewall
Figure 2-2 PIX 506 Back Panel
ACT(ivity)
PIX 506 Installation Steps
The PIX 506 should be placed on a flat, stable surface. The PIX 506 is not rack mountable.
Follow these steps to install a PIX 506:
Step 1 Use the RJ-45 Console port to connect a computer to enter configuration commands. Locate the serial
cable from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45
connectors, and one DB-9 connector and a DB-25 connector. Connect the cable as shown in Figure 2-3
so that you have either a DB-9 or DB-25 connector on one end as required by the serial port for your
computer, and the other end is the RJ-45 connector.
LED
ACT
ETHERNET 1
10BaseT
(RJ-45)
LINK
LED
LINK
ACT(ivity)
LED
ACT
ETHERNET 0
10BaseT
(RJ-45)
LINK
LED
LINK
USB
CONSOLE
USB
port
Console
port (RJ-45)
Power switch
DC
POWER
INPUT
38852
Connect the RJ-45 connector to the PIX 506 and connect the other end to the serial port connector on
your computer.
Figure 2-3 PIX 506 Serial Console Cable
DC
POWER
ACT
ETHERNET 1
LINK
ACT
LINK
ETHERNET 0
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
USB
CONSOLE
Console
port (RJ-45)
INPUT
Computer serial port
DB-9 or DB-25
38853
2-4
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Step 2 The inside or outside network connections can be made to either interface port on the PIX 506. Connect
the inside network cable to the interface connector marked ETHERNET 0 or ETHERNET 1. Connect
the outside network cable to the remaining Ethernet port. Refer to the “Configuring the PIX 506”
section for information on how to configure the ports.
Step 3 The PIX 506 uses an external AC to DC power supply. Power is supplied to the PIX 506 by connecting
the power supply to the back of the PIX 506 and connecting a separate AC power cord to the power
supply. Figure 2-4 displays the cable connection from the power supply to the PIX 506, and displays
the AC power cord connector (at the opposite end of the power supply).
Figure 2-4 Connecting the Power Supply Module to the PIX 506
ACT
ETHERNET 1
Installing a PIX 506
DC
POWER
INPUT
LINK
ACT
ETHERNET 0
LINK
USB
CONSOLE
38854
Step 4
When you are ready to start the PIX 506, power on the unit from the switch at the rear of the unit.
Configuring the PIX 506
If needed, you can use the PFSS (PIX Firewall Syslog Server) with the PIX 506. Refer to Chapter 4,
“Installing the PIX Firewall Syslog Server (PFSS),” for more information on the installation and use of
PFSS.
The PIX Firewall Setup Wizard provides an easy-to-use interface for building the initial PIX Firewall
configuration. For more information on the PIX Firewall Setup Wizard, see Chapter 9, “Installing the
PIX Firewall Setup Wizard.”
For more configuration information, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2,
which is available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Power supply
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-5
Installing a PIX 515
Installing a PIX 515
This section includes the following topics:
• Introduction
• Mounting the PIX 515
• PIX 515 Installation Steps
• Configuring the PIX 515
• PIX 515 Feature Licenses
Introduction
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The PIX 515 front panel LEDs are as follows (see Figure 2-5):
• POWER—On when the unit has power.
• ACT—On when the unit is the Active failover unit. If failover is not enabled, this light is on. If
failover is present, the light is on when the unit is the Active unit and off when the unit is in Standby
mode.
Chapter 2 Installing a PIX Firewall
• NETWORK—On when at least one network interface is passing traffic.
Figure 2-5 PIX 515 Front Panel LEDs
POWER ACT NETWORK
25735
2-6
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Refer to Figure 2-6 for a display of the controls and connectors on the PIX 515 back panel.
Figure 2-6 PIX 515 Features
Installing a PIX 515
100 Mbps
LED
LINK
LED
DO NOT INSTALL INTERFACE
CARDS WITH POWER APPLIED
100 Mbps
Link
10/100 ETHERNET 1
10/100BaseTX
ETHERNET 1
(RJ-45)
100 Mbps
LED
FDX
LED
FDX
100 Mbps
10/100BaseTX
LINK
LED
Link
10/100 ETHERNET 0
FDX
LED
FDX
ETHERNET 0
(RJ-45)
FAILOVER
CONSOLE
Console
port (RJ-45)
PIX-515
24298
Power switch
The LEDs for the network ports display the following transmission states:
• 100 Mbps—100 megabits per second 100BaseTX communication. If the light is off, that port is
using 10 megabits per second data exchange.
• LINK—Shows that data is passing on the network to which the connector is attached.
• FDX—Shows that the connection uses full-duplex data exchange where data can be transmitted and
received simultaneously. If this light is off, half-duplex is in effect.
The inside or outside network connections can be made to any available interface port on the PIX 515.
If you are only using the ETHERNET 0 and ETHERNET 1 ports, connect the inside network cable to
the interface connector marked ETHERNET 0 or ETHERNET 1. Connect the outside network cable to
the remaining Ethernet port. Refer to “Configuring the PIX 515” for information on how to configure
the ports.
The USB port to the left of the Console port is not used. The detachable plate above the ETHERNET 1
connector is also not used.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-7
Installing a PIX 515
Mounting the PIX 515
The PIX 515 can be mounted in a rack, on a wall, or on a flat surface.
If you do not wish to rack mount the unit, attach the rubber feet to the bottom of the unit as shown in
Figure 2-7.
Figure 2-7 Attaching the Rubber Feet to the PIX 515
Chapter 2 Installing a PIX Firewall
Fan
Rack Mounting
Step 1 Attach the bracket to the unit using the supplied screws. You can attach the brackets to the holes near
Step 2 Attach the unit to the equipment rack.
24301
Unused
Observe the following before installing the PIX 515 into an equipment rack:
• If you wish to install optional circuit boards or memory, you can install the brackets on the unit for
rack mounting, but do not put the PIX 515 in the equipment rack until you have installed the new
boards. The top panel of the PIX 515 must be removed to properly install or remove a circuit board.
Refer to Chapter 5, “Opening a PIX Firewall Chassis” for information on how to remove the chassis
top panel.
–
For more information on installing circuit boards, see Chapter 7, “Installing a Circuit Board.”
–
If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Use the following steps to install the PIX 515 in a rack:
the front of the unit.
2-8
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Vertical Mounting
To mount the PIX 515 vertically, attach the brackets to the side of the unit and mount the unit vertically
as shown in Figure 2-8.
Figure 2-8 Installing the PIX 515 Vertically
Installing a PIX 515
PIX-515
R
E
V
O
L
I
A
F
E
L
O
S
N
O
C
0
X
/
D
0
F
T
E
N
R
E
H
T
E
0
0
1
k
/
0
in
L
1
s
p
b
M
0
0
1
X
0
D
/
F
0
T
E
N
R
E
H
T
D
E
E
IE
C
L
0
A
P
0
F
k
P
R
/1
in
E
A
0
L
T
R
1
s
E
p
IN
b
W
L
L
M
O
A
0
P
0
T
1
H
S
IT
IN
T
W
O
S
D
N
R
O
A
D
C
PIX 515 Installation Steps
Use the following steps to install a PIX 515:
Step 1 Use the Console port to connect to a computer to enter configuration commands. Locate the serial cable
from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45 connectors,
and one DB-9 connector and a DB-25 connector. Connect the cable as shown in Figure 2-9 so that you
have either a DB-9 or DB-25 connector on one end as required by the serial port for your computer, and
the other end is the RJ-45 connector.
Connect the RJ-45 connector to the PIX 515 Console port and connect the other end to the serial port
connector on your computer.
24303
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-9
Installing a PIX 515
Figure 2-9 PIX 515 Serial Console Cable
PIX-515
100 Mbps
Link
10/100 ETHERNET 0
FDX
FAILOVER
CONSOLE
Chapter 2 Installing a PIX Firewall
Step 2
Console
port (RJ-45)
Computer serial port
DB-9 or DB-25
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
29226
If your unit has a four-port Ethernet card already installed, refer to Figure 2-10. (The four-port interface
card requires the PIX-515-UR license to be accessed.) If it has one or two single-port cards, refer to
Figure 2-11. If you need to install an optional circuit board such as a Private Link board, single-port
Ethernet board, FDDI board, or a four-port Ethernet board, refer to Chapter 5, “Opening a PIX Firewall
Chassis” for information about how to open the top panel of the chassis to install circuit boards.
Figure 2-10 Four-Port Ethernet Connectors in a PIX 515
Ethernet 5
Ethernet 3
D
O
N
O
T
IN
S
T
A
L
L
IN
T
E
R
F
A
C
E
C
A
R
D
S
W
IT
H
P
O
W
E
R
A
P
P
L
IE
Ethernet 2
Ethernet 4
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
10/1
0
0 E
TH
E
R
NE
T
1
Ethernet 1
Ethernet 0
PIX-515
F
A
IL
O
M
b
p
s
L
in
k
10/100 E
T
H
ER
V
E
R
F
D
X
N
E
T
0
C
O
N
S
O
LE
25733
2-10
Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left
the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed
interfaces is 6; do not add a single-port card in the extra slot below the four-port card.
Figure 2-11 Two Single-Port Ethernet Connectors in a PIX 515
Ethernet 2
D
O
N
O
T
IN
S
T
A
L
L
IN
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
IE
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
b
p
s
L
in
k
10/100 E
THE
R
N
E
T 1
1
0/1
00 E
TH
Ethernet 3
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
Ethernet 1
Ethernet 0
PIX-515
F
A
IL
O
V
E
R
F
D
X
E
RN
E
T
0
C
O
N
S
O
LE
25734
78-11180-01
Chapter 2 Installing a PIX Firewall
As shown in Figure 2-11, if your unit has one or two single-port Ethernet cards installed in the auxiliary
assembly on the left of the unit at the rear, the cards are numbered top to bottom so that the top card is
Ethernet 2 and the bottom card is Ethernet 3. (Additional interface cards require the PIX-515-UR
license to be accessed.)
Step 3 If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
Note Do not power on the failover units until the primary unit has been configured.
Step 4 When you are ready to start the PIX 515, power on the unit from the switch at the rear of the unit.
Configuring the PIX 515
The PIX Firewall Setup Wizard provides an easy-to-use interface for building the initial PIX Firewall
configuration. For more information on the PIX Firewall Setup Wizard, see Chapter 9, “Installing the
PIX Firewall Setup Wizard.”
Installing a PIX 515
For more configuration information, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2,
which is available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Refer to the next section for feature license options.
PIX 515 Feature Licenses
If you have a PIX-515-UR unrestricted feature license, the following options are available:
• If you have a second PIX 515 to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
• If needed, install the PIX Firewall Syslog Server as described in Chapter 4, “Installing the PIX
Firewall Syslog Server (PFSS).”
• If you need to install an optional circuit board such as a Private Link board, single-port Ethernet
board, FDDI board, or a four-port Ethernet board, refer to Chapter 5, “Opening a PIX Firewall
Chassis” for information about how to open the top panel of the chassis to install circuit boards.
78-11180-01
Note It is very important to open the top panel before installing circuit boards in the PIX 515.
Even though it may appear possible to add or remove cards from the back panel, removing
the top panel greatly simplifies the process.
• If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-11
Installing a PIX 525
Note If for any reason you may choose to downgrade to any software version, note that you need
to use the clear flashfs command before doing so. A new section has been added to Flash
memory that must be cleared before downgrading.
Installing a PIX 525
This section includes the following topics:
• Introduction
• PIX 525 Installation Steps
• Configuring the PIX 525
• PIX 525 Feature Licenses
Introduction
Chapter 2 Installing a PIX Firewall
To download software to a PIX Firewall, see the “Software Installation Notes” section in this chapter
or refer to the Cisco PIX Firewall Configuration Guide, Version 5.2.
The PIX 525 is displayed in Figure 2-12.
Figure 2-12 PIX 525
POWER
ACTIVE
CISCO SECURITY PIX 525
FIREWALL
44009
SERIES
The rear panel of the PIX 525 is shown in Figure 2-13.
Figure 2-13 PIX 525 Rear Panel View
44010
2-12
O
100M
bps A
CT
LIN
K
100M
bps A
CT
LIN
10/100 E
TH
E
K
R
N
E
T
1
10/100 E
TH
E
R
N
E
T
0
U
S
B
CO
There are two LEDs on the front panel of the PIX 525 (see Figure 2-14). The LEDs function as follows:
• POWER—On when the unit has power.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
F
A
I
L
V
E
R
P
IX-525
NS
O
LE
78-11180-01
Chapter 2 Installing a PIX Firewall
F
A
I
L
O
V
E
R
100M
bps A
C
T
100M
bps A
C
T
LIN
K
LIN
K
P
IX
-525
10/100 ETHERNET 1
10/100 ETHERNET 0
USB
CONSOLE
• ACT—On when the unit is the Active failover unit. If failover is present, the light is on when the
unit is the Active unit and off when the unit is in Standby mode.
Figure 2-14 PIX 525 Front Panel LEDs
Installing a PIX 525
44568
There are three LEDs for the each RJ-45 interface port and three types of fixed interface connectors on
the back of the PIX 525. The LEDs and connectors are shown in Figure 2-15.
Figure 2-15 PIX 525 Rear Panel
ACT(ivity)
LED
100Mbps
LED
10/100 BaseTX
Ethernet 1
(RJ-45)
ACT(ivity)
LED
LINK
LED
10/100 BaseTX
Ethernet 0
(RJ-45)
LINK
LED
Failover
connector
44567
USB
port
Console
port (RJ-45)
78-11180-01
The LEDs display the following transmission states:
• 100 Mbps—100 megabits per second 100BaseTX communication. If the light is off during network
activity, that port is using 10 megabits per second data exchange.
• ACT—Shows network activity.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-13
Installing a PIX 525
F
A
I
L
O
V
E
R
100M
bps AC
T
100M
bps A
C
T
LIN
K
LIN
K
P
IX
-525
10/100 ETHERNET 1
10/100 ETHERNET 0
USB
CONSOLE
• LINK—Shows that data is passing through that interface.
The following are fixed connectors on the back of the PIX 525:
• RJ-45—Network and console connectors.
• DB-15—Failover cable connector.
• USB—Not used at the present time.
PIX 525 Installation Steps
Use the following steps to install a PIX 525:
Step 1 The PIX 525 provides one set of brackets for installing the unit in an equipment rack. Use the following
steps if the unit is going to be installed into an equipment rack:
a. Attach the brackets to the holes near the front of the unit on each side of the PIX 525 using the
supplied screws.
b. Attach the unit to the equipment rack.
Step 2 Use the Console port to connect a computer to enter configuration commands. Locate the serial cable
from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45 connectors,
and one DB-9 connector and a DB-25 connector. Connect the cable so that you have either a DB-9 or
DB-25 connector on one end as required by the serial port for your computer, and the other end is the
RJ-45 connector as shown in Figure 2-16.
Chapter 2 Installing a PIX Firewall
Connect the RJ-45 serial cable connector to the PIX 525 console connector and connect the other end
to the serial port connector on your computer.
Figure 2-16 PIX 525 Rear Panel
Console
port (RJ-45)
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
Computer serial port
DB-9 or DB-25
44634
2-14
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Step 3 The inside or outside network connections can be made to any available interface port on the PIX 525.
If you are only using the ETHERNET 0 and ETHERNET 1 ports, connect the inside network cable to
the interface connector marked ETHERNET 0 or ETHERNET 1. Connect the outside network cable to
the remaining Ethernet port. Refer to “Configuring the PIX 525” for information on how to configure
the ports.
Step 4 If you need to install an optional circuit board such as a Private Link, Token-Ring, FDDI, or Ethernet
type board, refer to Chapter 7, “Installing a Circuit Board.” If you need to install memory, use
Chapter 6, “Installing a Memory Upgrade,” for more information.
Note It should not be necessary to remove the top panel of the PIX 525 to access the circuit
boards or memory. If you do need to open the top panel, refer to Chapter 5, “Opening a
PIX Firewall Chassis” for more information.
Step 5 Connect the network cables to the expansion interface ports. (The inside, outside, or perimeter network
connections can be made to any available interface port on the PIX 525.) The first expansion port
number, at the top left, is interface 2. Starting from that port and going from left to right and top to
bottom, the next port is interface 3, the next is interface 4, and so on. Use the “Configuring the PIX 525”
section for information on how to configure the ports.
Step 6 If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
Installing a PIX 525
Note Do not power on the failover units until the primary unit has been configured.
Step 7 When you are ready to start the PIX 515, power on the unit from the switch at the rear of the unit.
Configuring the PIX 525
The PIX Firewall Setup Wizard provides an easy-to-use interface for building the initial PIX Firewall
configuration. For more information on the PIX Firewall Setup Wizard, see Chapter 9, “Installing the
PIX Firewall Setup Wizard.”
For more configuration information, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2,
which is available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Refer to the next section for feature license options.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-15
Installing a PIX 520 or Earlier Model
PIX 525 Feature Licenses
If you have a PIX-525-UR unrestricted feature license, the following options are available:
• If you have a second PIX 525 to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
Note Do not power on the failover units until the primary unit has been configured.
• If needed, install the PIX Firewall Syslog Server as described in Chapter 4, “Installing the PIX
Firewall Syslog Server (PFSS).”
• If you need to install an optional circuit board such as a Private Link, Ethernet, FDDI, or
Token-Ring board, refer to Chapter 7, “Installing a Circuit Board.”
• If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Note If for any reason you may choose to downgrade to any software version, note that you need
to use the clear flashfs command before doing so. A new section has been added to Flash
memory that must be cleared before downgrading.
Chapter 2 Installing a PIX Firewall
Installing a PIX 520 or Earlier Model
The following topics are described in this section:
• PIX 520 or Earlier Model Installation Instructions
• PIX Firewall with a Four-Port Interface Card
• Installing Interface Cables to a PIX 520 or Earlier Model
PIX 520 or Earlier Model Installation Instructions
Follow these steps to install a PIX 520 or earlier model:
Step 1 Refer to Figure 2-17 for information on the features of the PIX 520 unit.
2-16
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Figure 2-17 PIX 520 Front, Rear, and Side Panels.
Front Rear
RE
S
E
T
PIX Firewall
SERIES
Power connector
Power switch
Installing a PIX 520 or Earlier Model
tion
nge Selec
to-Ra
Au
V H:180-270V
35
-1
L:90
AC
Reset
button
Powe r
light
Diskette
compartment
1
To access,
loosen screws
counterclockwise
3
Insert PIX
security appliance
diskette
Slots for
network
interfaces
Failover
connector
2
Set plate
on surface
4
To remove
diskette,
push button
Console
connector
+–
DC power connector
Fan duct
rackmount slide rails
(must be purchased
Rackmount
holes
Power switch
–
+
Left side
Holes to connect
separately from
outside vendor)
DC
Ground lugs
Holes to connect
rackmount brackets
(if rackmounting
is desired)
78-11180-01
10656
Right side
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-17
Installing a PIX 520 or Earlier Model
Figure 2-18 lists the controls on earlier PIX Firewall models.
Figure 2-18 Earlier PIX Firewall Access
Power
light
Power
switch
P
O
W
E
R
Chapter 2 Installing a PIX Firewall
Diskette
drive
R
E
S
E
T
Reset switch
Diskette eject button
H7484
Step 2 Connect network cables to each of the PIX Firewall’s network interfaces. On the PIX 520, connect the
cables at the front of the unit; on earlier models, connect the cables at the rear.
If you are not installing a four-port Ethernet card, which is supported only with version 4.4(1) and later,
add the cables as shown in Figure 2-19.
Figure 2-19 Up to Four Single-Port Interfaces in a PIX Firewall
44305
Interface 3
Interface 2
Interface 1
Interface 0
2-18
PIX Firewall version 2 supports two interfaces, version 3 supports three interfaces, versions 4.0 and 4.1
support three interfaces, version 4.2 supports four interfaces, version 4.3 supports four interfaces, and
version 4.4 supports six interfaces. Version 5.0, 5.1, and 5.2 support up to 6 interfaces.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
PIX Firewall with a Four-Port Interface Card
As of PIX Firewall version 4.4(1) and later, you can install one optional four-port Ethernet interface
card in the PIX 520 and earlier hardware models.
Note Use of the four-port card changes the position of the outside and inside interfaces
depending on the slot in which the card is installed. Four-port Ethernet card connectors are
numbered from the top connector down sequentially.
The Cisco four-port Ethernet interface card provides four 10/100 Ethernet connections and has
autosense capability. Connectors on the four-port card are numbered top to bottom sequentially;
however, the actual device number depends on the slot in which the four-port card is installed. Table 2-2
shows how the top connector is numbered.
Table 2-2 Numbering Devices with a Four-Port Connector
Slot 0 Contains Slot 1 Contains Slot 2 Contains
4-port Any Any ethernet0
Ethernet 4-port Any ethernet1
Ethernet Ethernet 4-port (required location on PIX
515)
Token Ring 4-port Any ethernet0
Token Ring Token Ring 4-port ethernet0
Token Ring Ethernet 4-port ethernet1
Ethernet Token Ring 4-port ethernet1
Installing a PIX 520 or Earlier Model
Four-Port Top
Connector is:
ethernet2
78-11180-01
With the four-port card, having a card in slot 3 makes the number of interfaces greater than six; while
the card in slot 3 cannot be accessed, its presence does not cause problems with the PIX Firewall.
Figure 2-20 shows the location of the interfaces if you install a four-port card in slot 0.
Figure 2-20 Four-Port Ethernet Interface Installed in Slot 0
Interface 0
Interface 1
Interface 2
Interface 3
44306
Interface 5
Interface 4
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-19
Installing a PIX 520 or Earlier Model
Figure 2-21 shows how the slots are numbered if a single-port interface card is inserted in slot 0 and a
four-port interface card is inserted in slot 1.
Figure 2-21 Single-Port Ethernet Interface Installed in Slot 0 and Four-Port Installed in Slot 1
Interface 1
Figure 2-22 shows how the slots are numbered if single-port interface cards are installed in slot 0 and
in slot 1 and a four-port interface card is inserted in slot 2.
Figure 2-22 Single-Port Ethernet Interface Installed in Slot 0 and 1 and Four-Port Ethernet Interface
Chapter 2 Installing a PIX Firewall
Interface 2
Interface 3
Interface 4
44307
Interface 0
Installed in Slot 2
Interface 2
Interface 3
Interface 4
Interface 5
44308
Interface 0
Interface 1
Installing Interface Cables to a PIX 520 or Earlier Model
Follow these steps to install interface cables to a PIX 520 or earlier model:
Step 1 Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45
connectors, two separate DB-9 connectors, and a separate DB-25 connector as shown in Figure 2-23.
Step 2 Install the serial cable between the PIX Firewall and your console computer.
2-20
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Figure 2-23 PIX Firewall Serial Cable Assembly
Installing a PIX 520 or Earlier Model
Step 3
PIX security appliance
console connector
DB-9-to-DB-25
serial cable
(null-modem)
Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX
C
O
N
S
O
L
E
Console
port (DB-9)
Computer serial port
DB-25 or DB-9
12275
Firewall.
Step 4 Connect one end of the RJ-45 null modem cable to the DB-9 connector.
Step 5 If you are installing an AC voltage PIX Firewall, connect the PIX Firewall unit’s power cord to the
power connector on the rear panel of the unit, and to a power outlet.
If you are installing a DC voltage PIX Firewall, refer to Chapter 8, “Installing a DC Voltage PIX 515
or PIX 520.”
Step 6 The following options are available:
a. If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in Chapter 3, “Installing Failover.”
Note Do not power on the failover units until the primary unit has been configured.
b. If needed, install the PIX Firewall Syslog Server as described in Chapter 4, “Installing the PIX
Firewall Syslog Server (PFSS).”
c. If you need to install an optional circuit board such as a single-port Ethernet board, or the four-port
Ethernet board, refer to Chapter 5, “Opening a PIX Firewall Chassis,” for information about how
to open the top panel of the chassis to install circuit boards.
d. If you need to install additional memory, refer to Chapter 6, “Installing a Memory Upgrade.”
Step 7 If you are ready to start configuring the PIX Firewall, power on the unit. When the unit is powered on,
refer to the Cisco PIX Firewall Configuration Guide, Version 5.2. Alternatively, you can use the PIX
Firewall Setup Wizard described in Chapter 9, “Installing the PIX Firewall Setup Wizard.”
If you need to download software version 5.1 or higher, use the “Boothelper Installation” section. If
your site downloads configuration images from a TFTP server, use the section “Downloading a
Software Image over TFTP” to learn how you can access boot mode while the PIX Firewall is starting
up. The PIX Firewall pauses for 10 seconds for you to press the Escape key or send a BREAK character.
On a Windows system, press the Esc key to access boot mode.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-21
Startup Messages
To configure your unit, refer to the Cisco PIX Firewall Configuration Guide, Version 5.2, which is
available in your accessory kit or online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186
a00801027d5.html
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is also in your accessory kit or you can view it online at the following site:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
Startup Messages
When you reboot or power on the PIX Firewall, a list of startup messages appear on the console screen.
The list of startup messages is described in the following sections:
• First Messages
• Installing for the First Time or Installing an Activation Key
• After the Prompts
Chapter 2 Installing a PIX Firewall
First Messages
An example of the first messages displayed are as follows:
booting....
PhoenixPICOBIOS 4.0 Release 6.0
Copyright 1985-1998 ABC Technologies Ltd.
All Rights Reserved
Build Time:04/27/00 17:08:34
Polaris BIOS Version 0.09
CPU = Pentium with MMX 200 MHz
640K System RAM Passed
63M Extended RAM Passed
0512K Cache SRAM Passed
System BIOS shadowed
limit segment address:EFE5
Cisco Secure PIX Firewall BIOS (4.0) #0:Mon Sep 13 13:28:49 PDT 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2011648 bytes of image from flash.
64MB RAM
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xfffd8000
mcwa i82559 Ethernet at irq 11 MAC:00aa.0000.000f
mcwa i82559 Ethernet at irq 10 MAC:00aa.0000.0010
• Writing Different Versions of the Configuration to Flash Memory
• Writing the Same Version of the Configuration to Flash Memory
• Configuration Version Message
2-22
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
The Flash statement indicates the type of Flash memory. Use the show version command in the
Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 to verify the amount of Flash
memory. If you have an insufficient amount of memory, the PIX Firewall would have displayed an error
message and stopped the installation. Refer to Chapter 1, “Introduction,” for a description of the system
requirements for the PIX Firewall platforms.
Installing for the First Time or Installing an Activation Key
Note You must have a new activation key before you can use any of the version 5.0 (or higher)
IPSec features or commands. You can have a new activation key sent to you by completing
the form at the following site:
https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=
324
PIX Firewall then displays the following message:
Activation Key: aaaabbbb ccccddd eeeeffff 11112222
Startup Messages
Do you want to enter a new activation key? [n]
If you are installing for the first time or you want to enter a new activation key, enter y for Yes.
If you do not wish to enter an activation key, enter
PIX Firewall will enter No for you. If you enter
each part of the activation key:
Enter Activation Key
Enter the first part of your new activation key. (In the previous example for the activation key listing,
the first part is aaaabbbb.)
PIX Firewall then prompts you for the other 3 parts of the activation key. Enter each part:
After the Prompts
PIX Firewall then continues the startup messages as follows:
Writing nnnnnnn bytes image into flash...
64MB RAM
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xfffd8000
n for No, or wait approximately 45 seconds and the
y to enter an activation key, you are prompted to enter
Part 1 of 4:
Part 2 of 4:
Part 3 of 4:
Part 4 of 4:
78-11180-01
To install, you need to see at least 32 MB of RAM. If you had too little memory, a message would
display indicating “
insufficient memory.”
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-23
Startup Messages
Chapter 2 Installing a PIX Firewall
PIX Firewall then lists each interface. Because PIX Firewall interface cards are polled instead of using
interrupts, the IRQ (interrupt request) lines can have duplicate numbers:
mcwa i82559 Ethernet at irq 10 MAC: 0050.54fe.eaea
mcwa i82559 Ethernet at irq 7 MAC: 0050.54fe.eaeb
mcwa i82558 Ethernet at irq 11 MAC: 00e0.b600.4520
mcwa i82558 Ethernet at irq 11 MAC: 00e0.b600.4521
In this example, the PIX Firewall has four Ethernet interfaces. The MAC address is a unique hardware
identifier for each interface.
The following messages then appear:
AMCC Chip Address: f880
Indirect Address Register: fc40
Indirect Data Register: fc00
IRQ: 9
If an encryption card is present, the following message appears:
CA9568 Encryption @ 0x3a0
The PIX Firewall symbol appears followed by the version number and the number of connections.
---------------------------------------------------------------------- || ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
---------------------------------------------------------------------- Cisco Secure PIX Firewall
Cisco Secure PIX Firewall Version 5.2(1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6
If an encryption card is present, the following export statement appears:
****************************** Warning *******************************
An encryption device has been discovered.
This product is not authorized for use by persons located outside the
United States and Canada that do not have export license authority
from Cisco Systems, Inc. and/or the U.S. Government.
This product may not be exported outside the U.S. and Canada either by
physical or electronic means without the prior written approval of
Cisco Systems, Inc. and/or the U.S. Government.
Persons outside the U.S. and Canada may not reexport, resell, or
transfer this product by either physical or electronic means without
prior written approval of Cisco Systems, Inc. and/or U.S. Government.
******************************* Warning *******************************
2-24
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
If you have an activation key that supports encryption, the following statement appears:
****************************** Warning *******************************
Compliance with U.S. Export Laws and Regulations - Encryption.
This product performs encryption and is regulated for export
by the U.S. Government.
This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.
This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.
Persons outside the U.S. and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
******************************* Warning *******************************
PIX Firewall then displays the following messages:
The 'logging trap' command now sets only the syslog server logging level.
Use the 'logging history' command to set the SNMP logging level.
Startup Messages
Cryptochecksum(unchanged): 29bd47de e4c13958 db57ee04 282ae9de
Copyright (c) 1996-2000 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Type help or '?' for a list of available commands.
pixfirewall> enable
Enter the enable command to start unprivileged mode. You are then prompted for the enable password
as follows:
Password:
Unless you have assigned a value to the enable password, which you can do with the enable password
command, press the Enter key to signify the default of no password. You are now in unprivileged mode.
Start configuration mode by entering the configure terminal command:
pixfirewall# configure terminal
pixfirewall(config)#
78-11180-01
You are now ready to start configuring your PIX Firewall, which is described in the following sections
and in the Cisco PIX Firewall Configuration Guide, Version 5.2.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-25
Chapter 2 Installing a PIX Firewall
Startup Messages
Writing Different Versions of the Configuration to Flash Memory
If the Flash memory version and the version of the installation software differ, PIX Firewall
automatically writes the image to Flash memory. The following is an example of the message that is
displayed when the Flash memory and the installation software are different versions:
Flash version 5.2(0), Install version 5.2(1)
The following is an example of the message and the complete screen that is displayed when the Flash
memory and the installation software are different versions:
PIX BIOS (3.5)
Booting Floppy
...................................Execing flop
Cisco Secure PIX Firewall floppy loader (3.0) #0:Wed Feb 23 10:11:36 PST 2000
Reading installation media.................
64MB RAM
Flash=AT29C040A @ 0x300
BIOS Flash=AM28F256 @ 0xfffd8000
mcwa i82557 Ethernet at irq 11 MAC:00a0.c977.a616
mcwa i82557 Ethernet at irq 10 MAC:00a0.c967.e25c
mcwa i82557 Ethernet at irq 15 MAC:00a0.c986.8e4c
---------------------------------------------------------------------- || ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
---------------------------------------------------------------------- Cisco Secure PIX Boothelper
Cisco Secure PIX Boothelper Version 5.2(1)
pixboothelper> a 10.132.12.66
address:10.132.12.66
pixboothelper> s 10.129.0.2
server 10.129.0.2
pixboothelper> i 0
current interface is 0
0: i82557 @ PCI(bus:0 dev:13 irq:11) ethernet0 100basetx
1: i82557 @ PCI(bus:0 dev:14 irq:10) ethernet1 not_init
2: i82557 @ PCI(bus:0 dev:15 irq:15) ethernet2 not_init
pixboothelper> f pix-5.2.1-release
file pix-5.2.1-release
pixboothelper> tftp
tftp
pix-5.2.1-release@10.129.0.2...........................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
.......................................................................................
....................................................
2-26
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
The example startup messages continue:
Received nnnnnnn bytes.
Flash version 5.2(0), Install version 5.2(1)
Installing to flash
Serial Number:nnnnnnn (0xnnnnn)
Activation Key:70ffbacc 62b8e7c2 87021a9c 98c9a02b
Do you want to enter a new activation key? [n]
Writing nnnnnnn bytes image into flash...
Ready to reboot, please remove the disk.
Writing the Same Version of the Configuration to Flash Memory
If the versions are the same, you are prompted with the following:
Do you wish to copy the install image into flash? [n]
Startup Messages
If you wish to load the configuration, enter Y for Yes. Alternatively, you can ignore the prompt and the
PIX Firewall will not start the download. If you do not perform the download, proceed to the
“After the Prompts” section.
The following is an example of the message displayed when the Flash memory and the installation
software are the same versions:
Flash version 5.2(1), Install version 5.2(1)
Do you wish to copy the install image into flash? [n] y
Installing to flash
Serial Number:nnnnnnn (0xnnnnn)
Activation Key:aaaabbbb ccccddd eeeeffff 11112222
Do you want to enter a new activation key? [n]
All other startup messages are the same as shown in the previous section, “Writing Different Versions
of the Configuration to Flash Memory.”
Configuration Version Message
PIX Firewall now displays a warning message if the configuration file (stored in Flash memory) is
newer than the PIX Firewall software version currently being loaded. This message warns you of the
possibility of unrecognized commands in the configuration file. For example, if you install a version of
5.0 software when the current version is 5.1 or higher, the following example message appears at
startup:
Configuration Compatibility Warning:
The config is from version 5.1(1).
but the image is version 5.0(3).
78-11180-01
In the message, “config” is the version in Flash memory and “image” is the version you are installing.
You will not receive this message if the installation is an upgrade of the same major release. For
example, if you are installing from version 5.1(1) to 5.1(2).
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-27
Software Installation Notes
Software Installation Notes
This section provides information about installing software on a PIX Firewall.
Note If you are upgrading from an earlier software version, save your configuration and write
down your activation key.
The following topics are discussed in this section:
• Boothelper Installation
• Downloading a Software Image over TFTP
• Using TFTP Commands
• TFTP Download Error Codes
• Upgrading the Activation Key
Boothelper Installation
Chapter 2 Installing a PIX Firewall
Note The Boothelper installation only supports PIX Firewall version 5.1 and later. The
Boothelper installation only applies to PIX Firewall units with a diskette drive, not to the
PIX 506, PIX 515, and PIX 525.
Follow these steps to install the PIX Firewall software using the Boothelper:
Step 1 Access CCO at http://www.cisco.com and log in. Then access the PIX Firewall software downloads at
the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
Step 2 Download the Boothelper image from CCO and the current PIX Firewall software image.
Note Do not attempt to load version 5.1 or higher on a PIX Firewall unit containing less
than 32 MB of memory. While the PIX Firewall may appear to permit this
configuration, upon reboot, the PIX Firewall unit will continuously fail. You can
stop this by immediately inserting a previous version diskette into the PIX
Firewall unit and pressing the reboot switch.
If you are using Windows, also download the rawrite.exe program from CCO, and download a TFTP
server from the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/tftp
The UNIX and LINUX operating systems contain a TFTP server.
2-28
Step 3 To prepare a UNIX or LINUX TFTP server to provide an image to the PIX Firewall, edit the inetd.conf
file to remove the # (comment character) from the start of the “tftp” statement. Then use the
ps aux | grep inetd command string to determine the process ID of the current inetd process. Use the
kill command to kill the process. The process will restart automatically. Continue with Step 5.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Step 4 If you are using Windows, use the rawrite program to put the Boothelper image on diskette. A sample
rawrite session follows:
C:\pix> rawrite
RaWrite 1.2 - Write disk file to raw floppy diskette
Enter source file name: bh521.bin
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 78 Head: 1 Sector: 16
Done.
C:\pix>
If you are using UNIX, use the dd command. For example, if the diskette device name is rd0, use the
following command:
dd bs=18b if=./bh521.bin of=/dev/rd0
Step 5 Get the TFTP server working on a host in your network and add the PIX Firewall binary image to a
directory accessible by the server.
Step 6 Connect a console to the PIX Firewall and ensure that it is ready.
Software Installation Notes
Step 7 Put the diskette containing the Boothelper in the PIX Firewall and reboot it. When the PIX Firewall
starts, the pixboothelper> prompt appears.
Step 8 You can now enter commands to download the binary image from the TFTP server:
a. If needed, use a question mark (?) or enter the help command to list the available commands.
b. Use the address command to specify the IP address of the PIX Firewall unit’s interface on which
the TFTP server resides. You can abbreviate this command as a.
c. Use the server command to specify the IP address of the host running the TFTP server. You can
abbreviate this command as s.
d. Use the file command to specify the filename of the PIX Firewall image. You can abbreviate this
command as f. In UNIX, the file needs to be world readable for the TFTP server to access it.
e. If needed, use the gateway command to specify the IP address of a router gateway through which
the server is accessible.
f. If needed, use the ping command to verify accessibility. If this command fails, fix access to the
server before continuing. Use the interface command to specify which interface the ping traffic
should use. The Boothelper defaults to the interface 1. You can abbreviate the interface command
as i.
g. Use the tftp command to start the download.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-29
Software Installation Notes
The following is an example session:
Cisco Secure PIX Boothelper Version 5.2(1)
pixboothelper> a 10.132.12.66
address:10.132.12.66
pixboothelper> s 10.129.0.2
server 10.129.0.2
pixboothelper> i 0
current interface is 0
0: i82557 @ PCI(bus:0 dev:13 irq:11) ethernet0 100basetx
1: i82557 @ PCI(bus:0 dev:14 irq:10) ethernet1 not_init
2: i82557 @ PCI(bus:0 dev:15 irq:15) ethernet2 not_init
pixboothelper> f pix-5.2.1-release
file pix-5.2.1-release
pixboothelper> tftp
tftp
pix-5.2.1-release@10.129.0.2...........................................................
................................
Step 9 After the image downloads, you are prompted to install the new image. Enter y.
Step 10 When you are prompted, enter your activation key.
Step 11 After you enter your activation key, PIX Firewall prompts you to remove the Boothelper diskette. You
have 30 seconds to remove the diskette. During this time you have three options:
Chapter 2 Installing a PIX Firewall
a. Remove the diskette and reboot the unit with the reboot switch.
b. Use the reload command while the diskette is in the unit.
c. After the interval, the PIX Firewall will automatically boot from the Boothelper diskette.
After Boothelper downloads the PIX Firewall image via TFTP, it verifies the checksum of the image. If
it is not version 5.1 or later, it displays the message “Checksum verification on flash image failed” and
reboots the PIX Firewall.
Keep the Boothelper diskette available for future upgrades. You will need to repeat these steps whenever
you download an image to your PIX Firewall unit. Alternatively, you can use the copy tftp flash
command to download an image directly from the PIX Firewall command line. Refer to “Using the copy
tftp flash Command” for more information.
Downloading a Software Image over TFTP
The PIX 506, PIX 515, and PIX 525 receive their boot image from either Flash memory or by
downloading the image from a TFTP server. You can obtain a TFTP server as an option from Cisco, you
can use the TFTP server provided with UNIX, or you can use a TFTP server available for your
computer.
You can download a free TFTP server from Cisco at the following site:
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp
2-30
Because the PIX 506, PIX 515, and PIX 525 do not have a diskette drive, you need to send a binary
image to the unit using Trivial File Transfer Protocol (TFTP). The PIX 506, PIX 515, and PIX 525 have
a special mode called ROM monitor mode that lets you retrieve the binary image over the network.
You can get the most current PIX Firewall software image from the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Note A diskette software image is not included with the PIX 506, PIX 515, or PIX 525. The
initial image is stored in Flash memory. You can obtain the latest binary image from Cisco
Connection Online (CCO) using a web browser or via FTP, storing the image on a TFTP
server. Once the TFTP server is available on a network accessible to the PIX Firewall and
you specify the IP address of the server from boot mode, the PIX 506, PIX 515, or PIX 525
will download the binary image over the network to itself.
Note Do not attempt to use a PIX Firewall diskette from a PIX 520 or earlier model to transfer
the image to the TFTP server. This image will not install correctly. While the ROM
monitor is protected from this boot method, the PIX 506, PIX 515, and PIX 525 will not
boot from the diskette image.
Note Entering a new activation key or recovering a password requires that you access the ROM
monitor, download an image, and then proceed on to the prompts that follow this activity.
(For password recovery, contact Cisco’s Customer Support organization as described in
the section “Obtaining Technical Assistance” in “About This Manual.”)
Software Installation Notes
Note When you enter the ROM monitor, PIX 506, PIX 515, and PIX 525 applications will not
be running; therefore, no traffic will pass in or out of your network while this operation is
being performed.
Using TFTP Commands
The following sections describe TFTP commands:
• Using the copy tftp flash Command
• Using the monitor Command
With the 5.1 or higher software release, you can use the copy tftp flash command from the PIX Firewall
configuration mode. This command allows remote management of a binary image that can be uploaded
without accessing monitor mode. The next section describes the copy tftp flash command.
Use the monitor command with software prior to the 5.1 release. See the “Using the monitor
Command” section for more details.
Using the copy tftp flash Command
Once you start the PIX Firewall and go to configuration mode, you can use the copy tftp flash command
to download a software image via TFTP. You can use the copy tftp flash command with any PIX
Firewall model running version 5.1 or later.
78-11180-01
The image you download is made available to the PIX Firewall on the next reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flash
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-31
Software Installation Notes
If the command is used without the location or pathname optional parameters, then the location and
filename are obtained from the user interactively via a series of questions similar to those presented by
Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command
settings. If other optional parameters are supplied, then these values would be used in place of the
corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon
and anything after it, causes the command to run without prompting for user input.
The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming
resolution mechanism (currently static mappings via the name and names commands). PIX Firewall
must know how to reach this location via its routing table information. This information is determined
by the ip address command, the route command, or also RIP, depending upon your configuration.
The pathname can include any directory names besides the actual last component of the path to the file
on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in
the TFTP server instead of in the copy tftp flash command. In UNIX, the file needs to be world readable
for the TFTP server to access it.
If your TFTP server has been configured to point to a directory on the system from which you are
downloading the image, you need only use the IP address of the system and the image filename. For
example, if you want to download the pix521.bin file from the D: partition on a Windows system (IP
address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu and enter the filename
path in the TFTP server root directory edit box; for example, D:\pix_images. To copy the file to the
PIX Firewall, use the following copy tftp command:
copy tftp://10.1.1.5/pix521.bin flash
Chapter 2 Installing a PIX Firewall
The TFTP server receives the command and correlates the actual file location from its root directory
information. The server then downloads the TFTP image to the PIX Firewall.
Note Images prior to version 5.1 cannot be retrieved using this mechanism.
Examples
The following example causes the PIX Firewall to prompt you for the filename and location before you
start the TFTP download:
copy tftp flash
Address or name of remote host [127.0.0.1]? 10.1.1.5
Source file name [cdisk]? pix521.bin
copying tftp://10.1.1.5/pix521.bin to flash
[yes|no|again]?yes
!!!!!!!!!!!!!!!!!!!!!!!…
Received 1695744 bytes.
Erasing current image.
Writing 1597496 bytes of image.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…
Image installed.
2-32
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
The next example takes the information from the tftp-server command. In this case, the TFTP server
is in an intranet and resides on the outside interface. The example sets the filename and location from
the tftp-server command, saves memory, and then downloads the image to Flash memory:
tftp-server outside 10.1.1.5 pix521.bin
Warning: 'outside' interface has a low security level (0).
write memory
Building configuration...
Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99
[OK]
copy tftp: flash
copying tftp://10.1.1.5/pix521.bin to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…
The next examples override the information in the tftp-server command to let you specify alternate
information about the filename and location. If you have not set the tftp-server command, you can also
use the copy tftp flash command to specify all information as shown in the second example that
follows:
copy tftp:/pix521.bin flash
copy tftp://10.0.0.1/pix521.bin flash
The next examples map an IP address to the tftp-host name with the name command and use the
tftp-host name in the copy commands:
name 10.1.1.6 tftp-host
copy tftp://tftp-host/pix521.bin flash
copy tftp://tftp-host/tftpboot/pix521.bin flash
Software Installation Notes
Using the monitor Command
After the PIX 506, PIX 515, or PIX 525 restarts, it pauses 10 seconds. To start the ROM monitor, press
the Escape key or send a BREAK character. If you are using Windows HyperTerminal for your console
program, you can press the Esc (Escape) key. From a Telnet session to a terminal server that has serial
access to the PIX 506, PIX 515, and PIX 525, use ctrl ] to get the Telnet command prompt, and then
enter the send break command. If you do not want to enter boot mode when the PIX 506, PIX 515, or
PIX 525 restarts, press the Space bar to start the normal boot immediately, or wait until the 10 seconds
passes and the unit will boot normally from Flash memory.
From ROM monitor, you can enter a number of commands that let you specify the file and location of
the configuration image, and then download it to the unit. The ROM monitor also lets you ping the TFTP
server to see if it is online and to specify the IP address of the nearest router if the image is not on a
subnet shared with a PIX 506, PIX 515, or PIX 525 interface.
Note TFTP does not perform authentication when transferring files, so a username and
password on the TFTP server are not required.
The TFTP server should be installed, but is not required to be, on the most secure part of the network,
preferably on the inside interface.
After you download an image, use the write memory command to store the image in Flash memory.
The monitor feature only works on the PIX 506, PIX 515, and PIX 525 and not with earlier models of
the PIX Firewall.
The maximum length of a filename is 122 characters.
78-11180-01
If the TFTP service stops receiving data requests during a file transfer, it waits four seconds and then
closes the connection.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-33
Software Installation Notes
Follow these steps to download an image over TFTP using the monitor command:
Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK
character or press the Esc (Escape) key.
Note If you are using HyperTerminal with Windows 95, you can press ctrl-break to
The monitor> prompt appears.
Step 2 If desired, enter a question mark (?) to list the available commands.
Step 3 Use the interface command to specify which interface the ping traffic should use. If a PIX 515 or a
PIX 525 have only two interfaces, the monitor command defaults to the inside interface.
Step 4 Use the address command to specify the IP address of the PIX Firewall unit’s interface.
Step 5 Use the server command to specify the IP address of the remote server.
Step 6 Use the file command to specify the filename of the PIX Firewall image. In UNIX, the file needs to be
world readable for the TFTP server to access it.
Chapter 2 Installing a PIX Firewall
activate a BREAK or press the Esc (Escape) key. Depending on which service
pack is installed, Windows NT HyperTerminal may not be able to send a BREAK
character, but the Esc key should work. Refer to the Windows NT documentation
for more information.
Step 7 If needed, enter the gateway command to specify the IP address of a router gateway through which the
server is accessible.
Step 8 If needed, use the ping command to verify accessibility. If this command fails, fix access to the server
before continuing.
Step 9 Use the tftp command to start the download.
2-34
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
The following is an example of the download screen display:
Rebooting....
PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 2000
Platform PIX-520
Flash=AT29C040A @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:13 irq:11)
1: i8255X @ PCI(bus:0 dev:14 irq:10)
Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1
Use? for help.
monitor> ?
? this help message
address [addr] set IP address
file [name] set boot file name
gateway [addr] set IP gateway
help this help message
interface [num] select TFTP interface
ping <addr> send ICMP echo
reload halt and reload system
server [addr] set server IP address
tftp TFTP download
timeout TFTP timeout
trace toggle packet tracing
Use of the monitor command continues:
monitor> addr 192.168.1.1
address 192.168.1.1
monitor> serv 192.168.1.2
server 192.168.1.2
monitor> file pix521.bin
file pix521.bin
monitor> ping 192.168.1.2
Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp pix521.bin@192.168.1.2................................
Received 626688 bytes
Software Installation Notes
78-11180-01
PIX admin loader (3.0) #0: Tue May 11 10:43:02 PDT 2000
Flash=AT29C040A @ 0x300
Flash version n.n.n.n, Install version n.n.n
Installing to flash
...
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-35
Software Installation Notes
TFTP Download Error Codes
During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as
the software downloads. The error code appears inside angle brackets.
For example, random bad blocks would appear as follows:
....<11>..<11>.<11>......<11>...
Also, tracing will show “A” and “T” for ARP and timeouts, respectively. Receipt of non-IP packets
causes the protocol number to display inside parentheses.
Table 2-3 lists the TFTP error codes.
Table 2-3 Error Code Numeric Values
Error
Code Description
1 Request timed out.
2 The packet length as received from the Ethernet device was not big enough to be a valid
TFTP packet.
3 The received packet was not from the server specified in the server command.
4 The IP header length was not big enough to be a valid TFTP packet.
5 The IP protocol type on the received packet was not UDP, which is the underlying
protocol used by TFTP.
6 The received IP packet's destination address did not match the address specified by the
address command.
7 The UDP ports on either side of the connection did not match the expected values. This
means either the local port was not the previously selected port, or the foreign port was
not the TFTP port, or both.
8 The UDP checksum calculation on the packet failed.
9 An unexpected TFTP code occurred.
10 A TFTP transfer error occurred.
-10 The image file name you specified cannot be found. Check the spelling of the filename
and that permissions permit the TFTP server to access the file. In UNIX, the file needs to
be world readable for the TFTP server to access it.
11 A TFTP packet was received out of sequence.
Chapter 2 Installing a PIX Firewall
2-36
Note Error codes 9 and 10 cause the download to stop.
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Chapter 2 Installing a PIX Firewall
Upgrading the Activation Key
Note The activation key can only be entered after downloading a new image—not from the
command line or without first rebooting.
Note You must have a new activation key before you can use IPSec features or commands. You
can have a new activation key sent to you by completing the form at the following site,
provided you are a registered Cisco user:
https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=
324
To become a registered Cisco user, complete the form at the following site:
http://tools.cisco.com/RPF/register/register.do
Follow these steps to upgrade an activation key on the PIX 506, PIX 515, and PIX 525:
Software Installation Notes
Step 1 Acquire a current PIX Firewall image from Cisco Connection Online (CCO).
Step 2 Set up a TFTP server and transfer the image to the proper directory.
Step 3 Reboot the unit.
Step 4 Press Escape or send the BREAK character to enter the boot ROM monitor. You can send a BREAK on
a Windows system with ctrl-break or by pressing the Esc key.
Step 5 Download a TFTP image as described in the section “Downloading a Software Image over TFTP.”
Step 6 When prompted to “install new image,” enter y.
Step 7 When prompted to “enter new key,” enter y.
Step 8 Enter the four-part activation key. If the key is correct, the system will boot and run correctly.
When done, refer to “After the Prompts” for additional prompts information that displays when a PIX
Firewall starts up.
78-11180-01
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
2-37
Software Installation Notes
Chapter 2 Installing a PIX Firewall
2-38
Installation Guide for the Cisco Secure PIX Firewall Version 5.2
78-11180-01
Loading...